[Samba] POSIX vs. Windows ACLs

Jeremy Allison jra at samba.org
Tue Nov 2 18:27:09 UTC 2021 

On Tue, Nov 02, 2021 at 04:49:01AM -0500, Patrick Goetz via samba wrote:
>
>Another question referring to a Samba domain member file server.
>
>The file system is ext4 on an Ubuntu 20.04.
>
>I would like to use Windows ACLs so my windows users can change 
>permissions on directories/files, but we also use linux data 
>processing systems, so the permissions (beyond POSIX basic) need to 
>work there, too.
>
>I think this means I'm stuck using POSIX extended ACLs, with Windows 
>users not being able to change permissions. Just want to make sure I 
>understand all the possibilities:

No, Samba will map Windows permission in a best-effort case
to POSIX ACLs. It can also keep a copy of the pristine Windows
ACL in an EA associated with the file so access via Windows clients
is mediated by the same Windows ACL algorithm used on a Windows
server.

>Currently the linux systems access files through NFS mounts, so no 
>hope of Windows ACLs working there, but if I were to bind the linux 
>machines to the domain and do the mounts through SMB, would the linux 
>systems respect the Windows ACL authorizations because permission is 
>determined by the Samba file server?

Yes. Samba obeys the pristine Windows ACLs before delegating
to the underlying filesystem - i.e. if a Windows ACL says deny,
we deny. If a Windows ACL says "allow", we are still bound by
the underlying POSIX ACL mapping on ext4 so it's possible you
may get a missmatch and a "deny" when the Windows ACL would
expect "allow". But this is failing safe, not failing open,
which is what you want.

> Understood that I would lose the
>ability to edit ACLs from linux, but the linux users are really 
>Windows users working on a linux system because that's where the 
>software is and they have no idea how to edit permissions there 
>anyway.

Linux users can use the smbcacls binary to edit Windows ACLs
on a remote server.

>Beyond this, if I'm working directly on the Samba file server, are 
>there command line tools available for editing Windows ACLs, or is 
>this sufficiently complicated that only a GUI will do?

smbcacls.

>The conjunction of linux and windows access control is a terrible 
>mess, as already discussed, but the world doesn't stop moving as a 
>result, so we will continue to cobble together bastardized 
>arrangements that mostly work.  I'm at the Build a Frankenstein shop 
>now...

"Puttin' on the Ritz !":

https://www.youtube.com/watch?v=ab7NyKw0VYQ

More information about the samba mailing list