I want to get a better understanding of what's happening between the posix permissions and windows permissions. I start with a Samba 4 AD DC with a share: /mnt/data All subfolders and files have permissions and ownership that look like: drwxrwxrwx. 539 root root 52K May 12 17:50 The Samba 4 Admin and User accounts are not local users on the linux server; they are only AD domain accounts. The /mnt/data share is set read only = no. I thought the AD DC ignores the posix ownership and permission settings, and they are controlled by ADUC settings via windows tools. But when I chmod the directory to 0770: drwxrwx--- 539 root root 52K May 12 17:53 I can no longer access the share /mnt/data using AD DC Admin or User accounts. Can I get an RTFM pointer that addresses what happening in this example? Thanks for your help. Mike
On 13/05/15 13:38, Mike wrote:> I want to get a better understanding of what's happening between the posix > permissions and windows permissions.Nothing happens between posix permissions (acls) and windows permissions (ACLs), they are different, see: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs On Unix, you can set read, write and execute/enter permissions for the owner, group or others, so for a share to be readable by some user who is neither the owner or a member of the group allowed access, you must set the Unix acls to 'rwxr-xr-x' or '755'. Now this is all well and good if you just what to give others read access, but what if you want the user to have write access as well ? If a share has the owner: group set to fred:unixgroup, you could add george to the group 'unixgroup' and change the acls to rwxrwxr-x (775) but then every member of the group 'unixgroup' will have write permissions. The answer to this? use windows ACLs, with these you could retain the Unix acls and add george as a user that has write access, you can do this from windows, or with setfacl: setfacl -m u:george:rwx testdir and to see the ACLs: getfacl testdir There is much more out there, just try a search on 'getfacl' Rowland> > I start with a Samba 4 AD DC with a share: /mnt/data > > All subfolders and files have permissions and ownership that look like: > > drwxrwxrwx. 539 root root 52K May 12 17:50 > > The Samba 4 Admin and User accounts are not local users on the linux > server; they are only AD domain accounts. The /mnt/data share is set read > only = no. I thought the AD DC ignores the posix ownership and permission > settings, and they are controlled by ADUC settings via windows tools. But > when I chmod the directory to 0770: > > drwxrwx--- 539 root root 52K May 12 17:53 > > I can no longer access the share /mnt/data using AD DC Admin or User > accounts. > > Can I get an RTFM pointer that addresses what happening in this example? > Thanks for your help. > > Mike
Sébastien Le Ray
2015-May-13  15:08 UTC
[Samba] Posix vs. Windows File/Directory Permissions
Le 13/05/2015 17:02, Rowland Penny a ?crit :> On 13/05/15 13:38, Mike wrote: >> I want to get a better understanding of what's happening between the >> posix >> permissions and windows permissions. > > Nothing happens between posix permissions (acls) and windows > permissions (ACLs), they are different, see:Well? Something happens since Windows ACLs are converted to UNIX ones when using RSAT. Moreover, you'll not be able to set up inital Windows ACL is UNIX ACLs do not allow the configuring user to do so (which is not mentioned on the wiki) Regards
Greetings, Mike!> I want to get a better understanding of what's happening between the posix > permissions and windows permissions.> I start with a Samba 4 AD DC with a share: /mnt/data> All subfolders and files have permissions and ownership that look like:> drwxrwxrwx. 539 root root 52K May 12 17:50> The Samba 4 Admin and User accounts are not local users on the linux > server; they are only AD domain accounts.That's not quite true.> The /mnt/data share is set read only = no. I thought the AD DC ignores the > posix ownership and permission settings, and they are controlled by ADUC > settings via windows tools.It would only be true, if Samba would have faked the control stuff. Thankfully, it is NOT true. Samba do a mapping between AD SIDs and local POSIX uid/gid stuff. So, at any point, the access control is the real access control.> But when I chmod the directory to 0770:> drwxrwx--- 539 root root 52K May 12 17:53> I can no longer access the share /mnt/data using AD DC Admin or User > accounts.> Can I get an RTFM pointer that addresses what happening in this example? > Thanks for your help.https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Though, it is hardly an RTFM, but it gives you an idea. -- With best regards, Andrey Repin Wednesday, May 13, 2015 18:21:09 Sorry for my terrible english...