[Samba] Windows ACLs

Peter Carlson peter at howudodat.com
Tue Oct 4 00:17:13 UTC 2022

On 10/3/22 17:03, Bailey Allison wrote:
> Just out of curiosity where would you be seeing this read only?
> Just at looking at both the Linux permissions and your screenshot of the Windows ACLs it appears there isn't anything set to read only besides the Creator Group option, as every other user or group is set to Full Control through the entire share which makes sense as that's what you're describing it's working as, I am just not certain where it appears to be set as read only.
> Apologies if I've missed it earlier but are you able to give a quick description of how exactly you are looking to have the permissions setup on the share?
> I would say that once you've got the Windows ACLs setup/configured, there is also not too much value in checking the permissions on the Linux side, and especially modifying them on the Linux side. You will pretty much be living within the Security Tab on Windows to configure permissions (The one in the screenshot you've provided). The good thing in all of this is, you've pretty much gotten over the hurdle of getting the Windows ACLs setup and configured properly!
Right click on folder, properties see: https://snipboard.io/BHkrIS.jpg, 
it's a couple of snaps overlayed together.  I dont plan on messing with 
the ACLs on linux.  I was just providing the information to be as clear 
and verbose as possible.  I am sometimes accused of providing too much.

This might not even be a problem as both admins and users can interact 
with the share as expected.

I have two more scenarios to test.  1) restricted share (Accounting 
group only), 2) a share that needs to be accessed by both windows 
clients and linux users logged in to the domain probably using gio mount 
and a middleware process via a system mount (also mounted via AD user).  
Hopefully it will work correctly there too, I'm thinking it should be 
almost the same.

>> Windows GUI only shows Domain Users once (https://snipboard.io/aliKP2.jpg), but Get-Acl lists domain users twice, once with ReadAndExecute and another with FullControl
> This is possibly because domain users could have permissions from being set as Full Control, as well as creator group being set with Read and Execute. Creator Group uses the primary group of the user which is typically set to Domain Users within a Windows setup. In this case you then are getting Domain Users as Full Control, as well as Domain Users getting Read and Execute from Creator Group.
Makes sense


More information about the samba mailing list