[Samba] Permissions at the top of a Samba share

Rowland penny rpenny at samba.org
Tue Aug 27 14:39:32 UTC 2019


On 27/08/2019 15:02, 🦏 Peter Rindfuss wrote:
> Am 2019-08-27 um 11:29 schrieb Rowland penny via samba:
>> On 27/08/2019 09:58, 🦏 Peter Rindfuss via samba wrote:
>>> Am 2019-08-26 um 16:35 schrieb Rowland penny via samba:
>>>> On 26/08/2019 15:20, 🦏 Peter Rindfuss via samba wrote:
>>>>> Hi,
>>>>>
>>>>> I have a question regarding permissions at the top of a share as seen
>>>>> from a Windows 10 client.
>>>>>
>>>>> We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with
>>>>> one AD controller and one file server.
>>>>>
>>>>> The top directory of our main share on the file server has, on the
>>>>> Linux
>>>>> level, these permissions reported by getfacl:
>>>>> # file: ...
>>>>> # owner: root
>>>>> # group: domain\040users
>>>>> # flags: ---
>>>>> user::rwx
>>>>> group::r-x
>>>>> other::---
>>>>>
>>>>> i.e. there are no rights for "other" and no default entries in the
>>>>> Posix
>>>>> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions)
>>>>>
>>>>> getfattr -d -e hex -m - ...
>>>>> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no
>>>>> "user.SAMBA_PAI="
>>>>>
>>>>> The Windows security editor, however, has two entries for "Everyone":
>>>>> Allow Everyone None    'This folder only'
>>>>> Allow Everyone Special 'Subfolders and files only', the special rights
>>>>> being read permission.
>>>>>
>>>>> I am wondering where the read permission for 'Subfolders and files
>>>>> only'
>>>>> comes from as there is no trace of this on the Linux side.
>>>>>
>>>>> Thanks, Peter
>>>>>
>>>> Have you tried: getfattr -n security.NTACL -d /the/top/directory
>>>>
>>>> You have to explicitly ask for it.
>>>>
>>>> Unfortunately, you will not understand the output, so try this as well:
>>>>
>>>> samba-tool ntacl get /the top/directory --as-sddl
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>> Thanks for your reply. The getfattr -d -e hex -m -  (note the minus sign
>>> after the -m) does retrieve all existing attributes, including
>>> security.NTACL. It is simply not there at the share's top level. It is
>>> there for the subdirectories.
>>> getfattr -n security.NTACL -d /the/top/directory says
>>> /the/top/directory: security.NTACL: No such attribute
>>>
>>> samba-tool ntacl returns
>>> O:S-1-22-1-0G:DUD:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001200a9;;;DU)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)
>>>
>>> which is probably what I see in the Windows security tab. But what is
>>> this derived from?
>> The 'thing' your getfattr cannot find, 'security.NTACL'
> It's not hidden, it does not exist. I used your version of getfattr, see
> above. getfattr shows 'security.NTACL' for other directories.
>
> Peter

If you have set the permissions from Windows then it should exist and 
look similar to this:

root at dc4:~# getfattr -n security.NTACL /var/lib/samba/sysvol
getfattr: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
security.NTACL=0sBAAEAAAAAgAEAAIAAQCp6am1GotJOBGWqEzbx+jV69lfEcBxseIm2q6pPixE2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAHpBkx0YKNQBTqxeNQHOuh/c/z6YZFTuQjad7CmDVREUbsXeqk0EOGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAFJS0AAAAxAAAAAAAAADQAAAAAQIAAAAAAAUgAAAAIAIAAAEBAAAAAAAFEgAAAAQAzAAJAAAAAAsUAAAADOABAQAAAAAAAwAAAAAACxQAAAAAoAEBAAAAAAAFCwAAAAAAFACpABIAAQEAAAAAAAULAAAAAAsUAAAAABABAQAAAAAABRIAAAAAABQA/wMfAAEBAAAAAAAFEgAAAAALGAAAAAzgAQIAAAAAAAUgAAAAIAIAAAAAGAC/AR4AAQIAAAAAAAUgAAAAIAIAAAALGAAAAACgAQIAAAAAAAUgAAAAJQIAAAAAGACpABIAAQIAAAAAAAUgAAAAJQIAAA==

Rowland





More information about the samba mailing list