I'm exploring Samba on Linux for SMB shares and so far, I've managed to set up local shares successfully with write lists and user/group permissions. Now, I'm looking to tackle a more complex system linked to a remote Active Directory server. Everything is mostly functioning, but I'm struggling with the permissions. From my research, I noticed that a similar Unraid server utilizes POSIX ACLs for permissions, without mentioning Samba's acl_xattr VFS extensions. It seems to use ACLs directly on the XFS filesystem.
This raises my question: Should I stick with Samba as a bridge for Windows to POSIX ACLs, or should I also or alternatively use Samba's extended attribute-based ACLs? While I have a good grasp of filesystems, I recognize there are some areas where I lack knowledge and I'm trying to find the best way to manage these permissions effectively.
#Edit
Upon further testing, it appears that Unraid defaults to using Samba's built-in mapping of POSIX permissions. While this is simpler via setfacl, it doesn't fully align with Windows ACL needs, particularly when it comes to complex permissions like transverse and execute without read permissions. Ultimately, it seems to depend on your specific setup: POSIX ACLs are easier but have limitations compared to Windows ACLs.
1 Answer
If you don't plan to allow users to access files directly through SSH aside from Samba, I’d suggest setting "acl_xattr:ignore system acls = yes". This keeps Samba from trying to convert between Linux and NT security formats, which can be a headache. You can find more on this in the Samba documentation and on their wiki, which outlines the setup quite well.
Thanks, that makes a lot of sense! I’ll definitely give this a shot. Just curious though, what would the underlying permissions look like? Like, if someone uploads a file, how would it show up with 'ls -l'? I’ll test it out!