[Samba] Setting permissions on AD member file server

gs at wvac.club gs at wvac.club
Wed Mar 16 13:48:28 UTC 2022

On 2022-03-15 11:30, Patrick Goetz wrote:

> On 3/15/22 10:01, L.P.H. van Belle via samba wrote:    
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Patrick Goetz via samba
> Verzonden: dinsdag 15 maart 2022 14:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Setting permissions on AD member file server
> On 3/14/22 17:41, Gregory Sloop via samba wrote: I've had a little time 
> to tinker and one thing I've found.
> Unless I have [acl_xattr:ignore system acls = yes] set, I can't edit 
> permissions at all. (I set it globally, though a share level setting 
> would probably work on a per-share basis.)
> There must be another issue here.  I have:
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes

You can remove : store dos attributes = yes
The default has changed to yes in Samba release 4.9.0 and above

> set in smb.conf and most certainly can edit permissions from Windows,
> although this has also failed in some cases for reasons I
> haven't been
> able to pinpoint (but am guessing is related to the long path issue).

You can try to set:
Local Computer Policy > Computer Configuration > Administrative 
Templates > System > Filesystem.
Double click and Enable NTFS long paths.

Yes, I did this for all Windows workstations using a domain Group Policy 
and it didn't change anything.

> This seems to be a quasi-sideeffect of that setting  - in short that 
> setting overwrites/resets the posix permissions.
> (Provided I understand discussions I've seen about it.)    In this case 
> the share will only be used by Windows users via CIFS/Samba - so this 
> may well "work" just fine and as a
> happy side-effect, make the problem vanish. But I'd guess it's not 
> really the "correct" fix.
> To that end, what would be the best way to reset the permissions on the 
> directories/files properly, removing all
> the Samba ACL's etc? Once they are set as a baseline in POSIX
> then we can tinker with Samba ACL's with the Windows
> permissions again. (And remove acl_xattr:ignore system acls = yes)

I do this like this.
setfacl --recursive --remove-all  folder
chmod -R o-rwx folder
chown -R root:root folder
chmod -R 775 folder

And start again, how its back to normal.

So that resets the UNIX/POSIX ACLs; how do you reset all the Windows 

>> Adding on to this, I would like to completely reset all the Windows
>> permissions, since the filesystem permissions look good, but
>> resetting
>> permissions on some folders fails from Windows.  If Windows 10 File
>> Explorer does not support long paths, then how would someone
>> use this to
>> reset permissions on deeply nested folders anyway?  I've
>> determined that
>> at after a certain path length the security tab disappears from
>> Properties completely!
> Interessing, i havent seen that.. I do have seen a bug that make 
> security tab go away..
> But thats long ago fixed.

Create a really long path (> 256 characters) and then see if you see the 
same thing; i.e. when listing Properties on a file or folder under this 
path, is there a Security tab?

> Greetz,
> Louis

I'm not sure I'm following the discussion correctly, but related to the 
long path issue if you need to modify the permissions you should be able 
to do it from the windows command prompt (or possibly powershell - I 
haven't tried it) on a computer with long-path enabled, by using the 
icacls command.

The command prompt on a long-path-enabled computer will work with the 
long path, but annoyingly I think with icacls you have to preface the 
path with \\?\ (so \\?\D:\Data...\...).

There is also a third-party tool named SetACL developed by an MS MVP 
that supports paths longer than 260 characters.

icacls command info from microsoft: 
setacl : https://helgeklein.com/setacl/feature-set/

More information about the samba mailing list