I have a Debian 8 with Samba 4 as a AD domain member. The DC is Windows Server 2008. The shares are able to handle Windows permissions - I use IDMAP backend = rid, since I cannot add uidNumber and gidNumber to AD account record.
I can display and set ACL permissions with getfacl
and setfacl
, but the R-W-X settings cannot set fine-grade Windows permissions (take ownership, read attributes, set permissions, full control...)
So, is there a possibility to manage (or at least show) advanced Windows permissions of shared file/folder from Linux?
The point is, I would like to make a script, which periodically checks all shared files, if they have the permissions I would like to have them. And alert, if something is wrong, so it would be some type of live documentation check of desired privileges.
Eventually found out myself.
The Windows permissions are stored in "Extended attributes". The raw data of these attributes can be displayed by
xattr
from Debian packagepython-xattr
:xattr -l <local_path>
To display and manipulate these permissions, you can use
smbcacls
from Debian packagesmbclient
:smbcacls //localhost/share <path_within_share>
In the output of the command above, there are some cryptic values like CI,OI,I,FULL,... Great explanation of these values is here: https://lists.samba.org/archive/samba-technical/2010-June/071390.html