火星人 @ 2014-03-12 , reply:0


Viewing and changing UNIX permissions using the NT security dialogs in Samba


Jeremy Allison, Samba Team

12th April 1999

Table of Contents


Viewing and changing UNIX permissions using the NT security dialogs


New in the Samba 2.0.4 release is the ability for Windows NT clients to use
their native security settings dialog box to view and modify the underlying
UNIX permissions.

這項smba 2.0.4版本提出的新功能可以使NT客戶用他們本地的安全設定對話框來觀察和修

Note that this ability is careful not to compromise the security of the UNIX
host Samba is running on, and still obeys all the file permission rules that
a Samba administrator can set.


In Samba 2.0.4 and above the default value of the parameter "nt acl support"
has been changed from "false" to "true", so manipulation of permissions is
turned on by default.

samba 2.0.4及以上版本已經把"nt acl support"參數的默認值從「false」改成了「true

How to view file security on a Samba share


From an NT 4.0 client, single-click with the right mouse button on any file
or directory in a Samba mounted drive letter or UNC path. When the menu
pops-up, click on the Properties entry at the bottom of the menu. This brings
up the normal file properties dialog box, but with Samba 2.0.4 this will have
a new tab along the top marked Security. Click on this tab and you will see
three buttons, Permissions, Auditing, and Ownership. The Auditing button will
cause either an error message "A requested privilege is not held by the
client" to appear if the user is not the NT Administrator, or a dialog which
is intended to allow an Administrator to add auditing requirements to a file
if the user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only useful button,
the Add button will not currently allow a list of users to be seen.

彈出的菜單底部點擊「屬性」項,這時會出現普通文件屬性對話框,而samba 2.0.4會在
Auditing, 和 Ownership。點擊Auditing按鈕,如果用戶並不是NT管理員的話將會出現一

Viewing file ownership


Clicking on the "Ownership" button brings up a dialog box telling you who
owns the given file. The owner name will be of the form :


"SERVERuser (Long name)"

Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password
database). Click on the Close button to remove this dialog.


If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone".

如果把"nt acl support"參數設為「false」則文件屬主將以NT用戶「Everyone」來顯示

The Take Ownership button will not allow you to change the ownership of this
file to yourself (clicking on it will display a dialog box complaining that
the user you are currently logged onto the NT client cannot be found). The
reason for this is that changing the ownership of a file is a privilaged
operation in UNIX, available only to the root user. As clicking on this
button causes NT to attempt to change the ownership of a file to the current
user logged into the NT client this will not work with Samba at this time.

Take Ownership按鈕並不能把文件的屬主改變成你自己(在這個按鈕上點擊的話將顯示一

There is an NT chown command that will work with Samba and allow a user with
Administrator privillage connected to a Samba 2.0.4 server as root to change
the ownership of files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the Seclib NT security library
written by Jeremy Allison of the Samba Team, available from the main Samba
ftp site.

有一個chown命令可以和samba一起使用使用戶可以管理員許可權聯接到samba 2.0.4並用
。當然這個由samba開發組成員Jeremy Allison寫的Seclib NT安全庫部件可以從samba的

Viewing file or directory permissions


The third button is the "Permissions" button. Clicking on this brings up a
dialog box that shows both the permissions and the UNIX owner of the file or
directory. The owner is displayed in the form :


"SERVERuser (Long name)"

Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password


If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone" and the permissions will be shown as NT
"Full Control".

如果把"nt acl support"參數設為「false」則文件屬主將以NT用戶「Everyone」來顯示
,同時許可權將顯示NT的「Full Control」。

The permissions field is displayed differently for files and directories, so
I'll describe the way file permissions are displayed first.


File Permissions


The standard UNIX user/group/world triple and the correspinding "read",
"write", "execute" permissions triples are mapped by Samba into a three
element NT ACL with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into the global NT
group Everyone, followed by the list of permissions allowed for UNIX world.
The UNIX owner and group permissions are displayed as an NT user icon and an
NT local group icon respectively followed by the list of permissions allowed
for the UNIX user and group.


As many UNIX permission sets don't map into common NT names such as "read",
"change" or "full control" then usually the permissions will be prefixed by
the words "Special Access" in the NT display list.

由於很多UNIX許可權設置不能映射到NT中稱為「read」「change」「full control」的常用
屬性,所以通常情況下這些許可權將在NT顯示列表中被加上關鍵字「Special Access」。

But what happens if the file has no permissions allowed for a particular UNIX
user group or world component ? In order to allow "no permissions" to be seen
and modified then Samba overloads the NT "Take Ownership" ACL attribute
(which has no meaning in UNIX) and reports a component with no permissions as
having the NT "O" bit set. This was chosen of course to make it look like a
zero, meaning zero permissions. More details on the decision behind this will
be given below.

情形下將發生什麼樣的狀況呢?為了允許查看和修改「no permissions」許可權的文件,
samba越過NT的「Take Ownership」ACL屬性(在UNIX中此屬性無意義)報告與NT中設置位「

Directory Permissions


Directories on an NT NTFS file system have two different sets of permissions.
The first set of permissions is the ACL set on the directory itself, this is
usually displayed in the first set of parentheses in the normal "RW" NT
style. This first set of permissions is created by Samba in exactly the same
way as normal file permissions are, described above, and is displayed in the
same way.


The second set of directory permissions has no real meaning in the UNIX
permissions world and represents the "inherited" permissions that any file
created within this directory would inherit.



Samba synthesises these inherited permissions for NT by returning as an NT
ACL the UNIX permission mode that a new file created by Samba on this share
would receive.

Samba 通過建立一個可以在共享資源上得到的新文件來返回類似於NT ACL一樣的UNIX許可權

Modifying file or directory permissions

[火星人 via ] 用NT的安全對話框來觀察和改變UNIX許可權已經有624次圍觀