[Samba] POSIX vs. Windows ACLs

Patrick Goetz pgoetz at math.utexas.edu
Thu Nov 18 10:48:10 UTC 2021

On 11/16/21 08:50, Stefan Kania via samba wrote:
> why don't you use pam-mount for the Linux-clients? If they are in the
> domain it works fine, and you won't have problems with the permission

The problem is I have at least one linux machine at a remote location 
that can't join the domain for political / other organization security 
reasons.  Right now I have them using ssh-fuse there, and of course the 
permissions just work because there's no Windows in the middle. In a 
second iteration I might be able to put them on WireGuard, in which case 
this would become an option.

I'm scarred by SMB mounting resources from an actual Windows box to 
linux because Windows is such a terrible team player.

I wonder if pam_mount is why autofs has fallen into such poor use, 
though.  It's hard to maintain the absolute perfection of an all linux 

> Am 02.11.21 um 10:49 schrieb Patrick Goetz via samba:
>> Another question referring to a Samba domain member file server.
>> The file system is ext4 on an Ubuntu 20.04.
>> I would like to use Windows ACLs so my windows users can change
>> permissions on directories/files, but we also use linux data processing
>> systems, so the permissions (beyond POSIX basic) need to work there, too.
>> I think this means I'm stuck using POSIX extended ACLs, with Windows
>> users not being able to change permissions. Just want to make sure I
>> understand all the possibilities:
>> Currently the linux systems access files through NFS mounts, so no hope
>> of Windows ACLs working there, but if I were to bind the linux machines
>> to the domain and do the mounts through SMB, would the linux systems
>> respect the Windows ACL authorizations because permission is determined
>> by the Samba file server? Understood that I would lose the ability to
>> edit ACLs from linux, but the linux users are really Windows users
>> working on a linux system because that's where the software is and they
>> have no idea how to edit permissions there anyway.
>> Beyond this, if I'm working directly on the Samba file server, are there
>> command line tools available for editing Windows ACLs, or is this
>> sufficiently complicated that only a GUI will do?
>> The conjunction of linux and windows access control is a terrible mess,
>> as already discussed, but the world doesn't stop moving as a result, so
>> we will continue to cobble together bastardized arrangements that mostly
>> work.  I'm at the Build a Frankenstein shop now...

More information about the samba mailing list