[Samba] Best strategy to manage and backup Windows file permissions
R. Diez
rdiez-2006 at rd10.de
Sun Mar 16 16:06:15 UTC 2025
Hi all:
I am a part-time Linux hacker planning a Samba server for a small business (after having recommended dropping Microsoft Windows altogether).
If I let users manage file permissions (Windows ACLs), it's going to be very hard after a while to tell who has access to what files and who hasn't. It looks like I am not the only one thinking along these lines:
https://serverfault.com/questions/1173394/samba-best-practices-for-acl-s-for-windows-clients
https://unix.stackexchange.com/questions/757004/samba-acls-prevent-full-control
Besides, assuming that I manage to back up all files with their Windows ACLs (I guess by backing up the xattr's), I wonder whether the restore would work. The backup will probably have numeric SIDs, so a rebuilt Samba server would have to keep the same user accounts with the same SIDs, wouldn't it?
So I am thinking that the best strategy would probably be to prevent users from changing file permissions at all. I could then agree with the users which groups should have which permissions where, and then set those permissions programmatically (with a script). For a small shop, I expect just a few rules like "under N:\some\where, only the 'managers' group should be able to read and write".
After a change in the agreed permissions, I would just re-run the script to reset all file permissions. Should the server crash and get rebuilt from scratch, I could run the script to have the same permissions as before.
The script wouldn't use numeric SIDs, but names like "DOMAIN\Group1". If a group does not exist in the new server, the script would fail, so there wouldn't be much room for errors. If a group gets dropped or renamed, the script would flag obsolete rules immediately.
Question 1) Can someone tell me what smb.conf settings I need for this kind of share/permission configuration?
I searched the Internet, but found no conclusive answer yet, just people who tried this and that, and some of it seemed to work but not quite sure. See for the example the links mentioned above.
Or maybe someone here knows where to find a tutorial or an example for this specific use case.
Question 2) How would the script to set/reset permissions would look like?
I am guessing that it would be a shell script with a few lines like this:
samba-tool ntacl set xxx
The trouble is, I couldn't find many examples to help work out the xxx part. The official documentation is rather sparse.
In any case, I probably have to look-up the SIDs beforehand with "wbinfo --name-to-sid", right?
Thanks in advance,
rdiez
More information about the samba
mailing list