[Samba] Permissions at the top of a Samba share

🦏 Peter Rindfuss peter.rindfuss at wzb.eu
Tue Aug 27 08:58:33 UTC 2019


Am 2019-08-26 um 16:35 schrieb Rowland penny via samba:
> On 26/08/2019 15:20, 🦏 Peter Rindfuss via samba wrote:
>> Hi,
>>
>> I have a question regarding permissions at the top of a share as seen
>> from a Windows 10 client.
>>
>> We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with
>> one AD controller and one file server.
>>
>> The top directory of our main share on the file server has, on the Linux
>> level, these permissions reported by getfacl:
>> # file: ...
>> # owner: root
>> # group: domain\040users
>> # flags: ---
>> user::rwx
>> group::r-x
>> other::---
>>
>> i.e. there are no rights for "other" and no default entries in the Posix
>> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions)
>>
>> getfattr -d -e hex -m - ...
>> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no
>> "user.SAMBA_PAI="
>>
>> The Windows security editor, however, has two entries for "Everyone":
>> Allow Everyone None    'This folder only'
>> Allow Everyone Special 'Subfolders and files only', the special rights
>> being read permission.
>>
>> I am wondering where the read permission for 'Subfolders and files only'
>> comes from as there is no trace of this on the Linux side.
>>
>> Thanks, Peter
>>
> Have you tried: getfattr -n security.NTACL -d /the/top/directory
> 
> You have to explicitly ask for it.
> 
> Unfortunately, you will not understand the output, so try this as well:
> 
> samba-tool ntacl get /the top/directory --as-sddl
> 
> Rowland
> 
> 
> 

Thanks for your reply. The getfattr -d -e hex -m -  (note the minus sign
after the -m) does retrieve all existing attributes, including
security.NTACL. It is simply not there at the share's top level. It is
there for the subdirectories.
getfattr -n security.NTACL -d /the/top/directory says
/the/top/directory: security.NTACL: No such attribute

samba-tool ntacl returns
O:S-1-22-1-0G:DUD:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001200a9;;;DU)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
which is probably what I see in the Windows security tab. But what is
this derived from?

Peter






More information about the samba mailing list