Please read this article in full to understand how this settings are insufficient to properly manage a Linux Samba server. Consider using the acl_xattr module because Linux ACLs alone cannot fully manage the complexity of Windows ACLs.
Access Control Lists (ACLs) in Linux provide a more fine-grained permission mechanism compared to the traditional Unix file permissions. ACLs allow you to set different permissions for different users or groups for a single file or directory.
Using ACLs, you can manage permissions in a more flexible way, catering to specific needs of different users and groups without changing the traditional file permission scheme.
Ensure your filesystem supports POSIX ACLs. Common filesystems like ext4, xfs, and btrfs support ACLs.
Linux ACLs remain a robust and critical component of permission management on Linux systems, despite their basis on an unfinished POSIX draft. They provide essential features for managing permissions in environments where the traditional Unix permissions are insufficient. Administrators should be aware of their capabilities and limitations to effectively implement and manage them in their environments.
To view the ACLs of a file or directory, use the getfacl command:
getfacl filename
To set ACLs, use the setfacl command.
Grant a user read permission on a file:
setfacl -m u:username:r filename
Grant a group write permission on a file:
setfacl -m g:groupname:w filename
Grant a user full permissions on a directory (including subdirectories):
setfacl -R -m u:username:rwx directory_name
Remove a specific ACL entry for a user:
setfacl -x u:username filename
Default ACLs apply to directories and are inherited by new files and subdirectories. To set default ACLs:
Set a default ACL for a directory:
setfacl -d -m u:username:rwx directory_name
Set default ACLs for a group:
setfacl -d -m g:groupname:rwx directory_name
Removing ACLs
To remove all ACL entries from a file or directory:
setfacl -b filename
To remove default ACL entries:
setfacl -k directory_name
Using SAMBA using Linux ACLs only
Windows NT ACLs are integral to the NTFS file system and offer a very detailed control mechanism over file and directory permissions. They allow you to specify permissions like read, write, execute, delete, change ownership, and change permissions. One of the unique features of Windows NT ACLs is the ability to have “deny” permissions, which can explicitly override “allow” permissions.
Linux POSIX ACLs, on the other hand, are based on an unfinished POSIX draft standard and provide a simpler model. They primarily offer basic permissions: read, write, and execute. Linux ACLs are less granular compared to Windows NT ACLs. The inheritance model in Linux ACLs is also less flexible.
When Samba is used to share files between Linux and Windows systems, it needs to translate the complex Windows ACLs into the simpler Linux model. Some challenges arise from this mapping process. For instance, some Windows permissions, such as those for changing ownership or permissions, do not have direct equivalents in Linux ACLs. The “deny” entries in Windows ACLs are difficult to represent in Linux because Linux ACLs do not support a direct “deny” capability. Samba attempts to map Windows permissions to the closest equivalent in Linux ACLs. However, a complex set of Windows permissions might be simplified to basic read, write, and execute permissions in Linux.
The limited inheritance support in Linux ACLs also presents a challenge. While Linux ACLs support default ACLs on directories, these only apply to new files and subdirectories. This does not fully replicate the complex inheritance rules possible with NT ACLs.
When precise permission mapping is crucial, consider using Samba with the acl_xattr module, which can store Windows ACLs as extended attributes.
Samba configuration
To enable, set in the [global] or in a specific share section of your smb.conf. Relevant options are:
The map acl inherit = yes option ensures that Samba respects and mimics the inheritance behavior of Windows NT ACLs when files and directories are created or modified on a Samba share. This setting allows Samba to more closely replicate the permission inheritance model used by Windows systems.
map acl inherit = yes
The inherit acls = yes setting instructs Samba to automatically inherit the ACLs of the parent directory when creating new files and directories within a share. This behavior is similar to the permission inheritance found in Windows file systems, where child objects (files and directories) automatically inherit permissions from their parent directories.
inherit acls = yes
The acl group control = yes setting allows Samba to provide more granular control over group permissions within a shared directory. It enables Samba to respect group-based ACL entries and control access based on group memberships more effectively.
acl group control = yes
The acl allow execute always = yes is used to control the execution permission behavior for files shared via Samba. This setting is important in environments where files need to be executable by default, even if they lack the traditional execute permission bits in their POSIX ACLs.
acl allow execute always = yes
Caponato's Samba notebook. Start here or else Main menu