[Samba] windows "Security" attributes for standard linux rwx permissions missing?

Rowland Penny rpenny at samba.org
Wed May 24 12:45:58 UTC 2023 


On 24/05/2023 11:29, Michael Tokarev via samba wrote:
> Hi!
> 
> Just noticed today that windows does not list permissions for standard
> linux RWX file access modes on a samba share anynmore. The "Security"
> tab in file-properties dialog correctly shows the 3 standard entities
> (file owner, group and "everyone"), but no security attributes are
> shown for any of those entities, the "Permissions for <..>" list
> does not have any entry checked (Full Control, Modify, Read, etc -
> none of that are set).  There's just one entry checked --
> it is "Special permissions".

It has been like that for a long time (at least for myself), have you 
tried clicking the Advanced button ?

> 
> I remember samba mapped at least r and w bits to Read and Write.
> Or maybe I misremember something?
> 
> When hitting "Modify" button and enabling some permissions there,
> samba creates an ACL for this file, with standard RWX perms
> mirrored as actual ACL entries, like, for a file group-owned
> by group "users" it creates group:: acl and group:users: acl
> with the same contents.  Which works, but obviously breaks
> when changing group of this file.

The share permissions are stored on three places, there are the standard 
Unix 'ugo' permissions, an ACL that getfacl shows and another EA that 
samba-tool can dislpay.

If you follow this wiki page:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You will end up with a share 'Demo' that uses the /srv/samba/Demo/ 
directory.

If you check the permissions with 'ls', you will get something like this:

ls -lad /srv/samba/Demo/
drwxrwx--- 2 root domain admins 4096 May 24 11:46 /srv/samba/Demo/

getfacl will show this:

  getfacl /srv/samba/Demo/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/Demo/
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

samba-tool will show this:

samba-tool ntacl get /srv/samba/Demo/ --as-sddl
O:S-1-22-1-0G:DAD:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;DA)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)

If you now alter the permissions on a Windows computer (the recommended 
way), this will alter the EA that samba-tool shows, this will cause the 
ACL to be altered to suit.

Rowland

More information about the samba mailing list