[Samba] Permissions at the top of a Samba share

🦏 Peter Rindfuss peter.rindfuss at wzb.eu
Tue Aug 27 08:58:33 UTC 2019

Am 2019-08-26 um 16:35 schrieb Rowland penny via samba:
> On 26/08/2019 15:20, 🦏 Peter Rindfuss via samba wrote:
>> Hi,
>> I have a question regarding permissions at the top of a share as seen
>> from a Windows 10 client.
>> We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with
>> one AD controller and one file server.
>> The top directory of our main share on the file server has, on the Linux
>> level, these permissions reported by getfacl:
>> # file: ...
>> # owner: root
>> # group: domain\040users
>> # flags: ---
>> user::rwx
>> group::r-x
>> other::---
>> i.e. there are no rights for "other" and no default entries in the Posix
>> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions)
>> getfattr -d -e hex -m - ...
>> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no
>> "user.SAMBA_PAI="
>> The Windows security editor, however, has two entries for "Everyone":
>> Allow Everyone None    'This folder only'
>> Allow Everyone Special 'Subfolders and files only', the special rights
>> being read permission.
>> I am wondering where the read permission for 'Subfolders and files only'
>> comes from as there is no trace of this on the Linux side.
>> Thanks, Peter
> Have you tried: getfattr -n security.NTACL -d /the/top/directory
> You have to explicitly ask for it.
> Unfortunately, you will not understand the output, so try this as well:
> samba-tool ntacl get /the top/directory --as-sddl
> Rowland

Thanks for your reply. The getfattr -d -e hex -m -  (note the minus sign
after the -m) does retrieve all existing attributes, including
security.NTACL. It is simply not there at the share's top level. It is
there for the subdirectories.
getfattr -n security.NTACL -d /the/top/directory says
/the/top/directory: security.NTACL: No such attribute

samba-tool ntacl returns
which is probably what I see in the Windows security tab. But what is
this derived from?


More information about the samba mailing list