[Samba] What happens to Samba permissions when moving a share on the Linux side?

Robert Marcano robert at marcanoonline.com
Mon Aug 22 12:50:53 UTC 2022 

On 8/22/22 1:56 AM, Sebastian Arcus via samba wrote:
> On 21/08/2022 15:00, Rowland Penny via samba wrote:
>> On Sun, 2022-08-21 at 12:57 +0100, Sebastian Arcus via samba wrote:
>>> I have a server with Samba 4.10.8 in AD mode, with shares on the DC.
>>
>> You really shouldn't use a DC as a fileserver, you should add a Unix
>> domain member and use that instead.
> 
> Thank you - I will have to look into it. I take it this would mainly be 
> a performance issue?
> 
>>
>>> I
>>> know that Samba in AD mode keeps the file permissions in its own
>>> database,
>>
>> No, it doesn't. The permissions are stored in the normal Unix
>> permissions (ugo), an extended acl shown by getfacl and an extended
>> attr shown by 'samba-tool ntacl get /path/to/directory or file'.
> 
> Thank you. Is the extended attr shown by samba-tool also stored in the 
> file itself, or somewhere else?

On the extended attributes of the file. If you move them you will not 
have problems, but if you do a copy/rsync instead you should be careful 
to tell the tool to copy extended attribute and acls. cp and rsync 
dont't do it by default. You must be sure the following attributes are 
being copied,

   security.NTACL and user.DOSATTRIB

You can check if they are copied for example with:

   getfattr -d --match=.\* sysvol/

or use an specific name like:

   getfattr -n security.NTACL sysvol/

sysvol is for the example

> 
>>
>>>   not on the Linux file system. What happens to these
>>> permissions if the root of a share is moved on the Linux side? For
>>> example, my share is currently at /mnt/point/samba/share_name, and I
>>> would like to move it to /srv/samba/share_name. Will that mess up
>>> the
>>> stored Samba file permissions - are they using full paths to find
>>> the
>>> files the permissions apply to? Thank you for any info
>>
>> You should be able to just move the data to the new place, but I would
>> make a backup first.
> 
> Thank you again for the quick reply. I already have a backup, so I will 
> proceed with moving the data and see what happens
> 
>

More information about the samba mailing list