Change Windows ACLs of SMB Samba Shares - directly in linux

linux samba network-share access-control-list
11,794

If you're running Samba 4, the commands samba-tool ntacl could certainly do it.

Unfortunately it's quite hard to find detailed doc on how to use this command to set ACLs:

#samba-tool ntacl set -h
Usage: samba-tool ntacl set <acl> <file> [options]

Set ACLs on a file.


Options:
  -h, --help            show this help message and exit
  --quiet               Be quiet
  --xattr-backend=XATTR_BACKEND
                        xattr backend type (native fs or tdb)
  --eadb-file=EADB_FILE
                        Name of the tdb file where attributes are stored
  --use-ntvfs           Set the ACLs directly to the TDB or xattr for use with
                        the ntvfs file server
  --use-s3fs            Set the ACLs for use with the default s3fs file server
                        via the VFS layer
  --service=SERVICE     Name of the smb.conf service to use when applying the
                        ACLs

  Samba Common Options:
    -s FILE, --configfile=FILE
                        Configuration file
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
                        debug level
    --option=OPTION     set smb.conf option from command line
    --realm=REALM       set the realm name

  Credentials Options:
    --simple-bind-dn=DN
                        DN to use for a simple bind
    --password=PASSWORD
                        Password
    -U USERNAME, --username=USERNAME
                        Username
    -W WORKGROUP, --workgroup=WORKGROUP
                        Workgroup
    -N, --no-pass       Don't ask for a password
    -k KERBEROS, --kerberos=KERBEROS
                        Use Kerberos
    --ipaddress=IPADDRESS
                        IP address of server
    -P, --machine-pass  Use stored machine account password

  Version Options:
    -V, --version       Display version number

I would suggest you this procedure:

# 1)
# In Windows
# Go to one shared folder/file and change the permissions as desired

#2)
# In Linux
# Get infos of the ACLs of the directory/file you just set up in SDDL format

#samba-tool ntacl get --as-sddl /path/to/my/share
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)

#3)
# Use the SDDL parameter to change all the files you want with same ACL

# samba-tool ntacl set "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" /path/to/other/files

Detail:

samba-tool ntacl get --as-sddl [file/directory]

will get ACLs infos in SDDL format. More on SDDL here

samba-tool ntacl set "[SDDL string]" [file/directory]

will apply specified ACL on the file/folder

The solution is not perfect tough it could help you.

About samba-tool commands: https://www.samba.org/samba/docs/man/manpages-3/samba-tool.8.html

A related issue on Samba mail lists: https://lists.samba.org/archive/samba-technical/2011-October/079820.html

Share:
11,794

Related videos on Youtube

MiKi
Author by

MiKi

Updated on September 18, 2022

Comments

  • MiKi
    MiKi over 1 year

    Is there a way to set the Windows ACLs from files and folders of an Samba Share directly through Linux itself?

    I know there is the option setfacl/getfacl but they can only change between: - DENY | READ-ONLY | FULL-Control - if I got this right.

    But I need for a Windows Security Group modify rights. And that recursively to all following directories. If I would change this from windows directly through an SMB connection this would take hours and days because of the mass of files. Is there a way to do this or is it still not possible? I know the information is stored anywhere in the share cause I can copy files in Linux to the share folder and they get automatically the previously chosen modify rights.

    To avoid the change of settings through SMB, I out copy the files from the share. Delete all files in the share and change the permissions from windows on the share.

    Actually this is how I proceeding so far:

In Linux:

1. I copy files and folders from the share folder to a separate location.
2. I delete all stuff in the share folder.

In Windows:

3. Then accessing the empty share folder through SMB.
4. From here I can change recursively the permissions for access groups to apply "modify" permissions.


Back in Linux:

5. Now I can copy the files and folders back into the share folder to set the permissions.

    -> The files got through the copy process the new permissions.

  • Craig Tullis
    Craig Tullis over 5 years
    That's just nasty... haha ;-)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Samba: connecting to a DFS share using smbclient
I can connect to Samba server but cannot access shares.
Why do Linux networks use Samba?
Mount Windows public share on Linux without username & password
How to get user password expiration date from Active Directory?
Using Git with a Samba shared folder
Samba file sharing on Ubuntu doesn't mask or force permissions for new files
smbclient tree connect failed nt_status_bad_network_name when folder exists
How to share folders b/n VirtualBox and Win 7 using NAT adapter and Samba
Change group permissions on linux shared folder