Control Windows permissions on Samba share from linux

active-directorypermissionssamba4

I have a Debian 8 with Samba 4 as a AD domain member. The DC is Windows Server 2008. The shares are able to handle Windows permissions – I use IDMAP backend = rid, since I cannot add uidNumber and gidNumber to AD account record.

I can display and set ACL permissions with getfacl and setfacl, but the R-W-X settings cannot set fine-grade Windows permissions (take ownership, read attributes, set permissions, full control…)

So, is there a possibility to manage (or at least show) advanced Windows permissions of shared file/folder from Linux?

The point is, I would like to make a script, which periodically checks all shared files, if they have the permissions I would like to have them. And alert, if something is wrong, so it would be some type of live documentation check of desired privileges.

Best Answer

Eventually found out myself.

The Windows permissions are stored in "Extended attributes". The raw data of these attributes can be displayed by xattr from Debian package python-xattr:

xattr -l <local_path>

To display and manipulate these permissions, you can use smbcacls from Debian package smbclient:

smbcacls //localhost/share <path_within_share>

In the output of the command above, there are some cryptic values like CI,OI,I,FULL,... Great explanation of these values is here: https://lists.samba.org/archive/samba-technical/2010-June/071390.html

Related Solutions

Specify default group and permissions for new files in a certain directory

In order to have all files under a given directory inherit group rights, you need to use the setgid bit on your directory. See this link.

 $ mkdir test
 $ sudo chown raphink.staff test
 $ ls -lhd test
     drwxr-xr-x 2 raphink staff 4.0K 2009-12-21 16:19 test
 $ sudo chmod g+s test # Set the setgid bit
 $ ls -lhd test
     drwxr-sr-x 2 raphink staff 4.0K 2009-12-21 16:21 test
 $ touch test/foo
 $ ls -lh test
     total 0
     -rw-r--r-- 1 raphink staff 0 2009-12-21 16:23 foo

Samba Share – Granting Samba Share Permission to AD Computer Accounts

Unfortunately permissions to a share cannot be granted to a computer account; only users. Yes, it looks like you should be able to do that, and the OS allows you to make the entry, but it doesn't actually work like you'd expect.

One way to get around this is, for instance if you're running a script as a scheduled task, is to mount network drive as a specific user who has access to that share, like so:

net use * \\server\share /user:DOMAIN\username

this will use the first-available drive letter (starting at Z: and going backward from XP/2003 on, but starting at the beginning in Win2k).

You can also specify a drive letter as long as it's not in use:

net use u: \\server\share /user:DOMAIN\username

When complete, don't forget to unmount the share with:

net use u: /d

(Note that you can of course test for the presense of the drive's use, or just drop the mount before mounting it, but I leave that to you.)

Best Answer

Related Solutions

Specify default group and permissions for new files in a certain directory

Samba Share – Granting Samba Share Permission to AD Computer Accounts

Related Topic