[Samba] Setting permissions on AD member file server

L.P.H. van Belle belle at bazuin.nl
Tue Mar 15 15:01:52 UTC 2022


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Patrick Goetz via samba
> Verzonden: dinsdag 15 maart 2022 14:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Setting permissions on AD member file server
> On 3/14/22 17:41, Gregory Sloop via samba wrote:
> > I've had a little time to tinker and one thing I've found.
> >   
> > Unless I have [acl_xattr:ignore system acls = yes] set, I 
> can't edit permissions at all.
> > (I set it globally, though a share level setting would 
> probably work on a per-share basis.)
> There must be another issue here.  I have:
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes

You can remove : store dos attributes = yes
The default has changed to yes in Samba release 4.9.0 and above 

> set in smb.conf and most certainly can edit permissions from Windows, 
> although this has also failed in some cases for reasons I 
> haven't been 
> able to pinpoint (but am guessing is related to the long path issue).

You can try to set: 
Local Computer Policy > Computer Configuration > Administrative Templates > System > Filesystem.
Double click and Enable NTFS long paths.

> >   
> > This seems to be a quasi-sideeffect of that setting  - in 
> short that setting overwrites/resets the posix permissions. 
> (Provided I understand discussions I've seen about it.)
> >   
> > In this case the share will only be used by Windows users 
> via CIFS/Samba - so this may well "work" just fine and as a 
> happy side-effect, make the problem vanish.
> > But I'd guess it's not really the "correct" fix.
> >   
> > To that end, what would be the best way to reset the 
> permissions on the directories/files properly, removing all 
> the Samba ACL's etc? Once they are set as a baseline in POSIX 
> then we can tinker with Samba ACL's with the Windows 
> permissions again. (And remove acl_xattr:ignore system acls = yes)

I do this like this. 
setfacl --recursive --remove-all  folder 
chmod -R o-rwx folder
chown -R root:root folder
chmod -R 775 folder

And start again, how its back to normal. 

> Adding on to this, I would like to completely reset all the Windows 
> permissions, since the filesystem permissions look good, but 
> resetting 
> permissions on some folders fails from Windows.  If Windows 10 File 
> Explorer does not support long paths, then how would someone 
> use this to 
> reset permissions on deeply nested folders anyway?  I've 
> determined that 
> at after a certain path length the security tab disappears from 
> Properties completely!
Interessing, i havent seen that.. I do have seen a bug that make security tab go away..
But thats long ago fixed. 



More information about the samba mailing list