Change Windows ACLs of SMB Samba Shares - directly in linux
If you're running Samba 4, the commands samba-tool ntacl could certainly do it.
Unfortunately it's quite hard to find detailed doc on how to use this command to set ACLs:
#samba-tool ntacl set -h
Usage: samba-tool ntacl set <acl> <file> [options]
Set ACLs on a file.
Options:
-h, --help show this help message and exit
--quiet Be quiet
--xattr-backend=XATTR_BACKEND
xattr backend type (native fs or tdb)
--eadb-file=EADB_FILE
Name of the tdb file where attributes are stored
--use-ntvfs Set the ACLs directly to the TDB or xattr for use with
the ntvfs file server
--use-s3fs Set the ACLs for use with the default s3fs file server
via the VFS layer
--service=SERVICE Name of the smb.conf service to use when applying the
ACLs
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM set the realm name
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server
-P, --machine-pass Use stored machine account password
Version Options:
-V, --version Display version number
I would suggest you this procedure:
# 1)
# In Windows
# Go to one shared folder/file and change the permissions as desired
#2)
# In Linux
# Get infos of the ACLs of the directory/file you just set up in SDDL format
#samba-tool ntacl get --as-sddl /path/to/my/share
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
#3)
# Use the SDDL parameter to change all the files you want with same ACL
# samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /path/to/other/files
Detail:
samba-tool ntacl get --as-sddl [file/directory]
will get ACLs infos in SDDL format. More on SDDL here
samba-tool ntacl set "[SDDL string]" [file/directory]
will apply specified ACL on the file/folder
The solution is not perfect tough it could help you.
About samba-tool commands: https://www.samba.org/samba/docs/man/manpages-3/samba-tool.8.html
A related issue on Samba mail lists: https://lists.samba.org/archive/samba-technical/2011-October/079820.html
Related videos on Youtube
MiKi
Updated on September 18, 2022Comments
-
MiKi over 1 year
Is there a way to set the Windows ACLs from files and folders of an Samba Share directly through Linux itself?
I know there is the option setfacl/getfacl but they can only change between: - DENY | READ-ONLY | FULL-Control - if I got this right.
But I need for a Windows Security Group modify rights. And that recursively to all following directories. If I would change this from windows directly through an SMB connection this would take hours and days because of the mass of files. Is there a way to do this or is it still not possible? I know the information is stored anywhere in the share cause I can copy files in Linux to the share folder and they get automatically the previously chosen modify rights.
To avoid the change of settings through SMB, I out copy the files from the share. Delete all files in the share and change the permissions from windows on the share.
Actually this is how I proceeding so far: In Linux: 1. I copy files and folders from the share folder to a separate location. 2. I delete all stuff in the share folder. In Windows: 3. Then accessing the empty share folder through SMB. 4. From here I can change recursively the permissions for access groups to apply "modify" permissions. Back in Linux: 5. Now I can copy the files and folders back into the share folder to set the permissions.
-> The files got through the copy process the new permissions.
-
Craig Tullis over 5 yearsThat's just nasty... haha ;-)