[Samba] Best strategy to manage and backup Windows file permissions

Sun Mar 16 17:10:21 UTC 2025

On 16.03.2025 17:06, R. Diez via samba wrote:
> Hi all:
>
> I am a part-time Linux hacker planning a Samba server for a small 
> business (after having recommended dropping Microsoft Windows 
> altogether).
>
> If I let users manage file permissions (Windows ACLs), it's going to 
> be very hard after a while to tell who has access to what files and 
> who hasn't. It looks like I am not the only one thinking along these 
> lines:
>
> https://serverfault.com/questions/1173394/samba-best-practices-for-acl-s-for-windows-clients 
>
>
> https://unix.stackexchange.com/questions/757004/samba-acls-prevent-full-control 
>
>
> Besides, assuming that I manage to back up all files with their 
> Windows ACLs (I guess by backing up the xattr's), I wonder whether the 
> restore would work. The backup will probably have numeric SIDs, so a 
> rebuilt Samba server would have to keep the same user accounts with 
> the same SIDs, wouldn't it?
>
> So I am thinking that the best strategy would probably be to prevent 
> users from changing file permissions at all. I could then agree with 
> the users which groups should have which permissions where, and then 
> set those permissions programmatically (with a script). For a small 
> shop, I expect just a few rules like "under N:\some\where, only the 
> 'managers' group should be able to read and write".
>
> After a change in the agreed permissions, I would just re-run the 
> script to reset all file permissions. Should the server crash and get 
> rebuilt from scratch, I could run the script to have the same 
> permissions as before.
>
> The script wouldn't use numeric SIDs, but names like "DOMAIN\Group1". 
> If a group does not exist in the new server, the script would fail, so 
> there wouldn't be much room for errors. If a group gets dropped or 
> renamed, the script would flag obsolete rules immediately.
>
> Question 1) Can someone tell me what smb.conf settings I need for this 
> kind of share/permission configuration?
>
> I searched the Internet, but found no conclusive answer yet, just 
> people who tried this and that, and some of it seemed to work but not 
> quite sure. See for the example the links mentioned above.
>
> Or maybe someone here knows where to find a tutorial or an example for 
> this specific use case.
>
> Question 2) How would the script to set/reset permissions would look 
> like?
>
> I am guessing that it would be a shell script with a few lines like this:
>
> samba-tool ntacl set xxx
>
> The trouble is, I couldn't find many examples to help work out the xxx 
> part. The official documentation is rather sparse.
>
> In any case, I probably have to look-up the SIDs beforehand with 
> "wbinfo --name-to-sid", right?
>
> Thanks in advance,
>   rdiez
>
Hi rdiez,

About user permissions, there is no real difference whether your 
customer uses a Windows, or Samba based setup. I have a couple of 
setups, where I try to mimic the Microsoft AD environment as closely as 
possible. I use the Microsoft AD tools for management from a Windows PC, 
and it works pretty well (some caveats, of course). Try to create a 
structure, where you can group the users. There should be somebody 
responsible for each group, with permission to change permissions. Some 
users will be in more than one group, one group with only read 
permission, another with full permission. Try to isolate very important 
groups, like accounting, or HR, where the ordinary user has no valid 
reason to access any information. I know, it's a headache to set it up, 
but it's a trial and error process.

Use a Linux based backup solution with the backups stored off site. All 
the file attributes and files will be backed up. I have used Bacula open 
source with Samba for about 15 years, and before that, Amanda Backup. 
Bacula exists both as open source, and a commercial solution, 
development is active, and the user forum is very helpful. For a small 
company, the open source solution is more than sufficient. Most 
distributions have got Bacula packages.

I wish you a successful project.

Peter