
Viewing and changing UNIX permissions using the NT security dialogs in Samba


Jeremy Allison, Samba Team

12th April 1999

Table of Contents


Viewing and changing UNIX permissions using the NT security dialogs


New in the Samba 2.0.4 release is the ability for Windows NT clients to use
their native security settings dialog box to view and modify the underlying
UNIX permissions.

这项smba 2.0.4版本提出的新功能可以使NT客户用他们本地的安全设定对话框来观察和修

Note that this ability is careful not to compromise the security of the UNIX
host Samba is running on, and still obeys all the file permission rules that
a Samba administrator can set.


In Samba 2.0.4 and above the default value of the parameter "nt acl support"
has been changed from "false" to "true", so manipulation of permissions is
turned on by default.

samba 2.0.4及以上版本已经把"nt acl support"参数的默认值从“false”改成了“true

How to view file security on a Samba share


From an NT 4.0 client, single-click with the right mouse button on any file
or directory in a Samba mounted drive letter or UNC path. When the menu
pops-up, click on the Properties entry at the bottom of the menu. This brings
up the normal file properties dialog box, but with Samba 2.0.4 this will have
a new tab along the top marked Security. Click on this tab and you will see
three buttons, Permissions, Auditing, and Ownership. The Auditing button will
cause either an error message "A requested privilege is not held by the
client" to appear if the user is not the NT Administrator, or a dialog which
is intended to allow an Administrator to add auditing requirements to a file
if the user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only useful button,
the Add button will not currently allow a list of users to be seen.

弹出的菜单底部点击“属性”项,这时会出现普通文件属性对话框,而samba 2.0.4会在
Auditing, 和 Ownership。点击Auditing按钮,如果用户并不是NT管理员的话将会出现一

Viewing file ownership


Clicking on the "Ownership" button brings up a dialog box telling you who
owns the given file. The owner name will be of the form :


"SERVERuser (Long name)"

Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password
database). Click on the Close button to remove this dialog.


If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone".

如果把"nt acl support"参数设为“false”则文件属主将以NT用户“Everyone”来显示

The Take Ownership button will not allow you to change the ownership of this
file to yourself (clicking on it will display a dialog box complaining that
the user you are currently logged onto the NT client cannot be found). The
reason for this is that changing the ownership of a file is a privilaged
operation in UNIX, available only to the root user. As clicking on this
button causes NT to attempt to change the ownership of a file to the current
user logged into the NT client this will not work with Samba at this time.

Take Ownership按钮并不能把文件的属主改变成你自己(在这个按钮上点击的话将显示一

There is an NT chown command that will work with Samba and allow a user with
Administrator privillage connected to a Samba 2.0.4 server as root to change
the ownership of files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the Seclib NT security library
written by Jeremy Allison of the Samba Team, available from the main Samba
ftp site.

有一个chown命令可以和samba一起使用使用户可以管理员权限联接到samba 2.0.4并用
。当然这个由samba开发组成员Jeremy Allison写的Seclib NT安全库部件可以从samba的

Viewing file or directory permissions


The third button is the "Permissions" button. Clicking on this brings up a
dialog box that shows both the permissions and the UNIX owner of the file or
directory. The owner is displayed in the form :


"SERVERuser (Long name)"

Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password


If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone" and the permissions will be shown as NT
"Full Control".

如果把"nt acl support"参数设为“false”则文件属主将以NT用户“Everyone”来显示
,同时权限将显示NT的“Full Control”。

The permissions field is displayed differently for files and directories, so
I'll describe the way file permissions are displayed first.


File Permissions


The standard UNIX user/group/world triple and the correspinding "read",
"write", "execute" permissions triples are mapped by Samba into a three
element NT ACL with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into the global NT
group Everyone, followed by the list of permissions allowed for UNIX world.
The UNIX owner and group permissions are displayed as an NT user icon and an
NT local group icon respectively followed by the list of permissions allowed
for the UNIX user and group.


As many UNIX permission sets don't map into common NT names such as "read",
"change" or "full control" then usually the permissions will be prefixed by
the words "Special Access" in the NT display list.

由于很多UNIX权限设置不能映射到NT中称为“read”“change”“full control”的常用
属性,所以通常情况下这些权限将在NT显示列表中被加上关键字“Special Access”。

But what happens if the file has no permissions allowed for a particular UNIX
user group or world component ? In order to allow "no permissions" to be seen
and modified then Samba overloads the NT "Take Ownership" ACL attribute
(which has no meaning in UNIX) and reports a component with no permissions as
having the NT "O" bit set. This was chosen of course to make it look like a
zero, meaning zero permissions. More details on the decision behind this will
be given below.

情形下将发生什么样的状况呢?为了允许查看和修改“no permissions”权限的文件,
samba越过NT的“Take Ownership”ACL属性(在UNIX中此属性无意义)报告与NT中设置位“

Directory Permissions


Directories on an NT NTFS file system have two different sets of permissions.
The first set of permissions is the ACL set on the directory itself, this is
usually displayed in the first set of parentheses in the normal "RW" NT
style. This first set of permissions is created by Samba in exactly the same
way as normal file permissions are, described above, and is displayed in the
same way.


The second set of directory permissions has no real meaning in the UNIX
permissions world and represents the "inherited" permissions that any file
created within this directory would inherit.



Samba synthesises these inherited permissions for NT by returning as an NT
ACL the UNIX permission mode that a new file created by Samba on this share
would receive.

Samba 通过建立一个可以在共享资源上得到的新文件来返回类似于NT ACL一样的UNIX权限

Modifying file or directory permissions
