Hi, I have a question regarding permissions at the top of a share as seen from a Windows 10 client. We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with one AD controller and one file server. The top directory of our main share on the file server has, on the Linux level, these permissions reported by getfacl: # file: ... # owner: root # group: domain\040users # flags: --- user::rwx group::r-x other::--- i.e. there are no rights for "other" and no default entries in the Posix ACL (i.e. there is no Posix ACL at all, just plain Linux permissions) getfattr -d -e hex -m - ... shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no "user.SAMBA_PAI=" The Windows security editor, however, has two entries for "Everyone": Allow Everyone None 'This folder only' Allow Everyone Special 'Subfolders and files only', the special rights being read permission. I am wondering where the read permission for 'Subfolders and files only' comes from as there is no trace of this on the Linux side. Thanks, Peter
On 26/08/2019 15:20, ? Peter Rindfuss via samba wrote:> Hi, > > I have a question regarding permissions at the top of a share as seen > from a Windows 10 client. > > We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with > one AD controller and one file server. > > The top directory of our main share on the file server has, on the Linux > level, these permissions reported by getfacl: > # file: ... > # owner: root > # group: domain\040users > # flags: --- > user::rwx > group::r-x > other::--- > > i.e. there are no rights for "other" and no default entries in the Posix > ACL (i.e. there is no Posix ACL at all, just plain Linux permissions) > > getfattr -d -e hex -m - ... > shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no > "user.SAMBA_PAI=" > > The Windows security editor, however, has two entries for "Everyone": > Allow Everyone None 'This folder only' > Allow Everyone Special 'Subfolders and files only', the special rights > being read permission. > > I am wondering where the read permission for 'Subfolders and files only' > comes from as there is no trace of this on the Linux side. > > Thanks, Peter >Have you tried: getfattr -n security.NTACL -d /the/top/directory You have to explicitly ask for it. Unfortunately, you will not understand the output, so try this as well: samba-tool ntacl get /the top/directory --as-sddl Rowland
Am 2019-08-26 um 16:35 schrieb Rowland penny via samba:> On 26/08/2019 15:20, ? Peter Rindfuss via samba wrote: >> Hi, >> >> I have a question regarding permissions at the top of a share as seen >> from a Windows 10 client. >> >> We are using Samba 4.10.6-Debian (van Belle) on Debian 10 (Buster) with >> one AD controller and one file server. >> >> The top directory of our main share on the file server has, on the Linux >> level, these permissions reported by getfacl: >> # file: ... >> # owner: root >> # group: domain\040users >> # flags: --- >> user::rwx >> group::r-x >> other::--- >> >> i.e. there are no rights for "other" and no default entries in the Posix >> ACL (i.e. there is no Posix ACL at all, just plain Linux permissions) >> >> getfattr -d -e hex -m - ... >> shows user.DOSATTRIB="<something>", but no "security.NTACL=" and no >> "user.SAMBA_PAI=" >> >> The Windows security editor, however, has two entries for "Everyone": >> Allow Everyone None??? 'This folder only' >> Allow Everyone Special 'Subfolders and files only', the special rights >> being read permission. >> >> I am wondering where the read permission for 'Subfolders and files only' >> comes from as there is no trace of this on the Linux side. >> >> Thanks, Peter >> > Have you tried: getfattr -n security.NTACL -d /the/top/directory > > You have to explicitly ask for it. > > Unfortunately, you will not understand the output, so try this as well: > > samba-tool ntacl get /the top/directory --as-sddl > > Rowland > > >Thanks for your reply. The getfattr -d -e hex -m - (note the minus sign after the -m) does retrieve all existing attributes, including security.NTACL. It is simply not there at the share's top level. It is there for the subdirectories. getfattr -n security.NTACL -d /the/top/directory says /the/top/directory: security.NTACL: No such attribute samba-tool ntacl returns O:S-1-22-1-0G:DUD:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001200a9;;;DU)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD) which is probably what I see in the Windows security tab. But what is this derived from? Peter