Interesting thread in samba mailing list regarding permissions

Status
Not open for further replies.

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Interesting take-away from random mailing list reading this morning:
Let's use the term access rights for a moment, to make sure that these
points are absolutely clear:

If the files on the server are mainly accessed through Samba, then it is
usually better to use Windows to set all access rights. Samba will in
this case adjust the Linux access rights such that they match the
Windows access rights as closely as possible. In this case you do not
need to care about Linux acls, just make sure that the file system
supports them (and user-attrs), because Samba needs them.

If access rights have been set from Windows, you should never try to use
Linux to set different access rights for Linux users. Every modification
done from Linux will erase the access rights that were set for this file
or directory from Windows, even flipping just one bit, even changing the
owner.

Alternatively you can set all access rights in Linux. In this case you
should use the samba option to disable the permissions tab in windows
explorer. And you should learn Linux acls, because they are much more
flexible than the old chmod bits for user-group-all. Linux uses acls in
addition to the old permissions bits.

The most irritating aspect of Linux-acls is that the bits shown by the
"ls"-command for the group are replaced by the ones for acl-mask. This
mas is a filter for all acl-rights. The group bits are still there, and
in action, but "ls" cannot see them, and "chmod" cannot access them. The
reason for this construct is that historically the usual method to
temporarily lock everybody out of a directory is to clear the group
bits. Redirecting group bit access to the acl-mask ensures that also all
people are locked out who got access through an acl. Restoring the
acl-mask also reactivates all acl-rights.

Disturbing is the fact that one cannot simply do everything with
Linux-acls, because there are always also the access rights of the
owner. They are honoured before checking the acls. I do not know what to
do if a user switches to a different team, and should loose the access
rights to the old files. Windows does also know the concept of owner,
and special permissions for that user, but such permissions are usually
not set, and need not be set.

hope this helps,
Klaus

https://marc.info/?l=samba&m=143172764302830&w=2

It's nice to see that FreeNAS users aren't the only ones with permissions problems. Working with samba has been a source of many deep sighs and face-palms, with an occasional "Oh God, why???"
 
Last edited:

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,194
I don't look at the source code that often. :D

Neither do I, but I don't enjoy thinking "Is this really valid C?" when looking at the software stack that transmits my data to/from the server.
 
Status
Not open for further replies.
Top