[Samba] Cleanup permission settings / traverse folder

Rowland Penny rpenny at samba.org
Mon Mar 20 17:26:33 UTC 2023 


On 20/03/2023 16:58, Rowland Penny via samba wrote:
> 
> 
> On 20/03/2023 16:22, Thomas Hoffmann (Speed4Trade GmbH) via samba wrote:
>> Hello,
>> I have problems removing the permission settings on a directory/folder 
>> after configuration of a share.
>>
>> My folders look like:
>> /var/folder1/folder2/
>>
>> I created share1 on folder1 and share2 on folder2.
>> Afterwards, I activated ACLs and set permission on folder1 to 
>> domain/group1 and on folder2 to domain/group2.
>>
>> I couldn't access share2 with a user from group2 and I figured out 
>> that Samba doesn't support SeChangeNotifyPrivilege  (bypass traverse 
>> checking).
> 
> According to 'net rpc rights list' it does, but it is described as 
> 'Register for change notify', however, in previous documentation it was 
> described as 'Bypass traverse checking'. I do not know when the 
> description changed or why.
> 
>> Because user2 from group2 doesn't have any permissions on folder1, the 
>> user can't access folder2 and therefore can't access share2.
>>
>> So far, so good. I decided to remove share1 because it was only a 
>> share for convenience. Afterwards I deleted the ACLs on folder1 with 
>> "setfacl -bn /var/folder1/ "
>> Unfortunately, user2 still can't access share2. Somehow folder1 is 
>> still blocking user2 to access folder2.
>> When I create folder2 somewhere else with the exact same settings, 
>> everything works.
>> Does samba store some permissions at another place? How to tidy up the 
>> settings on folder1 properly?
>> Any hints would be appreciated. Thanks!
>> I can provide smb-settings if needed.
> 
> Please post the output of 'testparm -s' (sanitised if required) and the 
> permissions set on the share.
> 
> Rowland
> 
> 

Then after a bit of investigation, I turned up this smb.conf parameter:

honor change notify privilege

Which by default is set to 'no', try adding the parameter but set to 
'yes' i.e.

honor change notify privilege = yes

restart or reload Samba and see if that helps

You may also have to give the user the privilege using 'net'

Rowland

More information about the samba mailing list