samba - May 2015 - Posix vs. Windows File/Directory Permissions

I want to get a better understanding of what's happening between the posix
permissions and windows permissions.

I start with a Samba 4 AD DC with a share:  /mnt/data

All subfolders and files have permissions and ownership that look like:

drwxrwxrwx. 539 root root  52K May 12 17:50

The Samba 4 Admin and User accounts are not local users on the linux
server; they are only AD domain accounts.  The /mnt/data share is set read
only = no.  I thought the AD DC ignores the posix ownership and permission
settings, and they are controlled by ADUC settings via windows tools.  But
when I chmod the directory to 0770:

drwxrwx---  539  root  root  52K May 12  17:53

I can no longer access the share /mnt/data using AD DC Admin or User
accounts.

Can I get an RTFM pointer that addresses what happening in this example?
Thanks for your help.

Mike

On 13/05/15 13:38, Mike wrote:
> I want to get a better understanding of what's happening between the
posix
> permissions and windows permissions.
Nothing happens between posix permissions (acls) and windows permissions 
(ACLs), they are different, see:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

On Unix, you can set read, write and execute/enter permissions for the 
owner, group or others, so for a share to be readable by some user who 
is neither the owner or a member of the group allowed access, you must 
set the Unix acls to 'rwxr-xr-x' or '755'. Now this is all well
and good
if you just what to give others read access, but what if you want the 
user to have write access as well ?

If a share has the owner: group set to fred:unixgroup, you could add 
george to the group 'unixgroup' and change the acls to rwxrwxr-x (775) 
but then every member of the group 'unixgroup' will have write
permissions.

The answer to this? use windows ACLs, with these you could retain the 
Unix acls and add george as a user that has write access, you can do 
this from windows, or with setfacl:

  setfacl -m u:george:rwx testdir

and to see the ACLs:

getfacl testdir

There is much more out there, just try a search on 'getfacl'

Rowland
>
> I start with a Samba 4 AD DC with a share:  /mnt/data
>
> All subfolders and files have permissions and ownership that look like:
>
> drwxrwxrwx. 539 root root  52K May 12 17:50
>
> The Samba 4 Admin and User accounts are not local users on the linux
> server; they are only AD domain accounts.  The /mnt/data share is set read
> only = no.  I thought the AD DC ignores the posix ownership and permission
> settings, and they are controlled by ADUC settings via windows tools.  But
> when I chmod the directory to 0770:
>
> drwxrwx---  539  root  root  52K May 12  17:53
>
> I can no longer access the share /mnt/data using AD DC Admin or User
> accounts.
>
> Can I get an RTFM pointer that addresses what happening in this example?
> Thanks for your help.
>
> Mike

Le 13/05/2015 17:02, Rowland Penny a ?crit :
> On 13/05/15 13:38, Mike wrote:
>> I want to get a better understanding of what's happening between
the
>> posix
>> permissions and windows permissions.
>
> Nothing happens between posix permissions (acls) and windows 
> permissions (ACLs), they are different, see:
Well? Something happens since Windows ACLs are converted to UNIX ones 
when using RSAT. Moreover, you'll not be able to set up inital Windows 
ACL is UNIX ACLs do not allow the configuring user to do so (which is 
not mentioned on the wiki)

Regards

Greetings, Mike!
> I want to get a better understanding of what's happening between the
posix
> permissions and windows permissions.
> I start with a Samba 4 AD DC with a share:  /mnt/data
> All subfolders and files have permissions and ownership that look like:
> drwxrwxrwx. 539 root root  52K May 12 17:50
> The Samba 4 Admin and User accounts are not local users on the linux
> server; they are only AD domain accounts.
That's not quite true.
> The /mnt/data share is set read only = no.  I thought the AD DC ignores the
> posix ownership and permission settings, and they are controlled by ADUC
> settings via windows tools.
It would only be true, if Samba would have faked the control stuff.
Thankfully, it is NOT true.
Samba do a mapping between AD SIDs and local POSIX uid/gid stuff.
So, at any point, the access control is the real access control.
> But when I chmod the directory to 0770:
> drwxrwx---  539  root  root  52K May 12  17:53
> I can no longer access the share /mnt/data using AD DC Admin or User
> accounts.
> Can I get an RTFM pointer that addresses what happening in this example?
> Thanks for your help.
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Though, it is hardly an RTFM, but it gives you an idea.


-- 
With best regards,
Andrey Repin
Wednesday, May 13, 2015 18:21:09

Sorry for my terrible english...