SMB does not present permissions on looped up raw disk image / backup of a Windows NTFS volumeSamba Permissions - I'm going to throw it!Can Samba “security = user” be used for guest share without Windows login prompt?Problem modifying read-only files on Samba NASCan't access samba share over VPNSamba share for user groups with Ubuntu. A user can't access files created by other usersSamba Ignoring POSIX ACLsSamba4 [homes] shareUsers can't access their samba shared homes from WindowsAuth fail on Samba server with LDAP backendSamba Security - Set permissions for anyone write on share (root and others)
Dimmer switch not connected to ground
How did the Force make Luke hard to hit in the Battle of Yavin?
Convert Numbers To Emoji Math
Why would a military not separate its forces into different branches?
Is there precedent or are there procedures for a US president refusing to concede to an electoral defeat?
Subnumcases as a part of align
Why does blending blueberries, milk, banana and vanilla extract cause the mixture to have a yogurty consistency?
Determine if a grid contains another grid
Referring to person by surname, keep or omit "von"?
What is the thing used to help pouring liquids called?
Can a player choose to add detail and flavor to their character's spells and abilities?
Can an Iranian citizen enter the USA on a Dutch passport?
Picking a theme as a discovery writer
Is throwing dice a stochastic or a deterministic process?
Transistor gain, what if there is not enough current?
What does the copyright in a dissertation protect exactly?
Installing Debian 10, upgrade to stable later?
TIP120 Transistor + Solenoid Failing Randomly
Why increasing of the temperature of the objects like wood, paper etc. doesn't fire them?
HSA - Continue to Invest?
GitLab account hacked and repo wiped
Debian 9 server no sshd in auth.log
Python 3 - simple temperature program version 1.3
Old story about a creature laying pyramid shaped eggs on Mars
SMB does not present permissions on looped up raw disk image / backup of a Windows NTFS volume
Samba Permissions - I'm going to throw it!Can Samba “security = user” be used for guest share without Windows login prompt?Problem modifying read-only files on Samba NASCan't access samba share over VPNSamba share for user groups with Ubuntu. A user can't access files created by other usersSamba Ignoring POSIX ACLsSamba4 [homes] shareUsers can't access their samba shared homes from WindowsAuth fail on Samba server with LDAP backendSamba Security - Set permissions for anyone write on share (root and others)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have a raw copy of a Windows NTFS volume on my Linux machine. When I loop it and share it out on a domain-joined Linux machine via Samba as-follows --
[global]
workgroup = <my-domain>
realm = <my-domain.com>
server string = %h (backups)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
unix password sync = Yes
restrict anonymous = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
allow insecure wide links = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
idmap config * : range = 10000 - 20000
idmap config * : backend = tdb
map acl inherit = Yes
...
[TestShare]
path = /datto/mounts/TestShare
valid users = nobody
read only = No
create mask = 0755
force create mode = 0755
force directory mode = 0755
veto files = /lost+found/.locate.db
dfree command = /datto/bin/dfree-runner
There are no longer permissions associated with the block device (left -- right, original).
On the other hand, mounting an iSCSI target of that same volume shows the original permissions.
Is it possible to serve these original permissions / securities over SMB? If so, is there something I can add or modify in my configuration of this share?
linux windows permissions samba
add a comment |
I have a raw copy of a Windows NTFS volume on my Linux machine. When I loop it and share it out on a domain-joined Linux machine via Samba as-follows --
[global]
workgroup = <my-domain>
realm = <my-domain.com>
server string = %h (backups)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
unix password sync = Yes
restrict anonymous = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
allow insecure wide links = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
idmap config * : range = 10000 - 20000
idmap config * : backend = tdb
map acl inherit = Yes
...
[TestShare]
path = /datto/mounts/TestShare
valid users = nobody
read only = No
create mask = 0755
force create mode = 0755
force directory mode = 0755
veto files = /lost+found/.locate.db
dfree command = /datto/bin/dfree-runner
There are no longer permissions associated with the block device (left -- right, original).
On the other hand, mounting an iSCSI target of that same volume shows the original permissions.
Is it possible to serve these original permissions / securities over SMB? If so, is there something I can add or modify in my configuration of this share?
linux windows permissions samba
add a comment |
I have a raw copy of a Windows NTFS volume on my Linux machine. When I loop it and share it out on a domain-joined Linux machine via Samba as-follows --
[global]
workgroup = <my-domain>
realm = <my-domain.com>
server string = %h (backups)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
unix password sync = Yes
restrict anonymous = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
allow insecure wide links = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
idmap config * : range = 10000 - 20000
idmap config * : backend = tdb
map acl inherit = Yes
...
[TestShare]
path = /datto/mounts/TestShare
valid users = nobody
read only = No
create mask = 0755
force create mode = 0755
force directory mode = 0755
veto files = /lost+found/.locate.db
dfree command = /datto/bin/dfree-runner
There are no longer permissions associated with the block device (left -- right, original).
On the other hand, mounting an iSCSI target of that same volume shows the original permissions.
Is it possible to serve these original permissions / securities over SMB? If so, is there something I can add or modify in my configuration of this share?
linux windows permissions samba
I have a raw copy of a Windows NTFS volume on my Linux machine. When I loop it and share it out on a domain-joined Linux machine via Samba as-follows --
[global]
workgroup = <my-domain>
realm = <my-domain.com>
server string = %h (backups)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
unix password sync = Yes
restrict anonymous = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
allow insecure wide links = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
idmap config * : range = 10000 - 20000
idmap config * : backend = tdb
map acl inherit = Yes
...
[TestShare]
path = /datto/mounts/TestShare
valid users = nobody
read only = No
create mask = 0755
force create mode = 0755
force directory mode = 0755
veto files = /lost+found/.locate.db
dfree command = /datto/bin/dfree-runner
There are no longer permissions associated with the block device (left -- right, original).
On the other hand, mounting an iSCSI target of that same volume shows the original permissions.
Is it possible to serve these original permissions / securities over SMB? If so, is there something I can add or modify in my configuration of this share?
linux windows permissions samba
linux windows permissions samba
edited Apr 28 at 18:27
bd1251252
asked Apr 27 at 18:36
bd1251252bd1251252
1164
1164
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I'm not exactly sure why this happens but NTFS permission do not translate to *nix very well. I'm pretty sure that the on disk permissions that NTFS (5.0) uses are MUCH more complicated than what SAMBA reads.
In my experience with connecting something like MacOS or BSD/FreeNAS to a device with NTFS on it, if you have a disk that has permissions applied that are for a non-domain joined computer and it is an OS disk, it will generally appear to work relatively normally (you can't get into C:Users%username% until you reset, but a folder on the C: root will have the permissions as 'Everyone'.)
If you have a computer that is domain joined, things get quite harry. The extra SIDs that are domainusername likely require you to connect that *nix box to the LDAP service of the domain at a minimum. Even then, I have had trouble getting them to work smoothly.
I'm guessing from your screenshots that you don't have a domain there (computernameusername) so your issue is likely pseudo related to a need for an LDAP connection (SID syncing).
You could probably resolve this issue by either validating the permissions that are applied to the NTFS with a user that is synced to LDAP on your *nix box or standing up a Windows Server and connecting to that with LDAP or something like that. That is at least the path you want to drive down. =P
My domain isbjd2385.com
, so in the right window, such a user would bebjd2385Administrator
. Thanks for your reply!
– bd1251252
Apr 28 at 21:15
Ah, yes. If you're domain joined then your SID is not replicated to the disk with anything meaningful. It's just a SID. There's also much more complex permissions in NTFS than *nix can manage when you have a Windows domain. You need LDAP for syncing the SIDs and then you'll still want to actually SET the permissions on a box that is running Windows so that it propagates the permissions properly.
– thelanranger
Apr 29 at 0:03
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964868%2fsmb-does-not-present-permissions-on-looped-up-raw-disk-image-backup-of-a-windo%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm not exactly sure why this happens but NTFS permission do not translate to *nix very well. I'm pretty sure that the on disk permissions that NTFS (5.0) uses are MUCH more complicated than what SAMBA reads.
In my experience with connecting something like MacOS or BSD/FreeNAS to a device with NTFS on it, if you have a disk that has permissions applied that are for a non-domain joined computer and it is an OS disk, it will generally appear to work relatively normally (you can't get into C:Users%username% until you reset, but a folder on the C: root will have the permissions as 'Everyone'.)
If you have a computer that is domain joined, things get quite harry. The extra SIDs that are domainusername likely require you to connect that *nix box to the LDAP service of the domain at a minimum. Even then, I have had trouble getting them to work smoothly.
I'm guessing from your screenshots that you don't have a domain there (computernameusername) so your issue is likely pseudo related to a need for an LDAP connection (SID syncing).
You could probably resolve this issue by either validating the permissions that are applied to the NTFS with a user that is synced to LDAP on your *nix box or standing up a Windows Server and connecting to that with LDAP or something like that. That is at least the path you want to drive down. =P
My domain isbjd2385.com
, so in the right window, such a user would bebjd2385Administrator
. Thanks for your reply!
– bd1251252
Apr 28 at 21:15
Ah, yes. If you're domain joined then your SID is not replicated to the disk with anything meaningful. It's just a SID. There's also much more complex permissions in NTFS than *nix can manage when you have a Windows domain. You need LDAP for syncing the SIDs and then you'll still want to actually SET the permissions on a box that is running Windows so that it propagates the permissions properly.
– thelanranger
Apr 29 at 0:03
add a comment |
I'm not exactly sure why this happens but NTFS permission do not translate to *nix very well. I'm pretty sure that the on disk permissions that NTFS (5.0) uses are MUCH more complicated than what SAMBA reads.
In my experience with connecting something like MacOS or BSD/FreeNAS to a device with NTFS on it, if you have a disk that has permissions applied that are for a non-domain joined computer and it is an OS disk, it will generally appear to work relatively normally (you can't get into C:Users%username% until you reset, but a folder on the C: root will have the permissions as 'Everyone'.)
If you have a computer that is domain joined, things get quite harry. The extra SIDs that are domainusername likely require you to connect that *nix box to the LDAP service of the domain at a minimum. Even then, I have had trouble getting them to work smoothly.
I'm guessing from your screenshots that you don't have a domain there (computernameusername) so your issue is likely pseudo related to a need for an LDAP connection (SID syncing).
You could probably resolve this issue by either validating the permissions that are applied to the NTFS with a user that is synced to LDAP on your *nix box or standing up a Windows Server and connecting to that with LDAP or something like that. That is at least the path you want to drive down. =P
My domain isbjd2385.com
, so in the right window, such a user would bebjd2385Administrator
. Thanks for your reply!
– bd1251252
Apr 28 at 21:15
Ah, yes. If you're domain joined then your SID is not replicated to the disk with anything meaningful. It's just a SID. There's also much more complex permissions in NTFS than *nix can manage when you have a Windows domain. You need LDAP for syncing the SIDs and then you'll still want to actually SET the permissions on a box that is running Windows so that it propagates the permissions properly.
– thelanranger
Apr 29 at 0:03
add a comment |
I'm not exactly sure why this happens but NTFS permission do not translate to *nix very well. I'm pretty sure that the on disk permissions that NTFS (5.0) uses are MUCH more complicated than what SAMBA reads.
In my experience with connecting something like MacOS or BSD/FreeNAS to a device with NTFS on it, if you have a disk that has permissions applied that are for a non-domain joined computer and it is an OS disk, it will generally appear to work relatively normally (you can't get into C:Users%username% until you reset, but a folder on the C: root will have the permissions as 'Everyone'.)
If you have a computer that is domain joined, things get quite harry. The extra SIDs that are domainusername likely require you to connect that *nix box to the LDAP service of the domain at a minimum. Even then, I have had trouble getting them to work smoothly.
I'm guessing from your screenshots that you don't have a domain there (computernameusername) so your issue is likely pseudo related to a need for an LDAP connection (SID syncing).
You could probably resolve this issue by either validating the permissions that are applied to the NTFS with a user that is synced to LDAP on your *nix box or standing up a Windows Server and connecting to that with LDAP or something like that. That is at least the path you want to drive down. =P
I'm not exactly sure why this happens but NTFS permission do not translate to *nix very well. I'm pretty sure that the on disk permissions that NTFS (5.0) uses are MUCH more complicated than what SAMBA reads.
In my experience with connecting something like MacOS or BSD/FreeNAS to a device with NTFS on it, if you have a disk that has permissions applied that are for a non-domain joined computer and it is an OS disk, it will generally appear to work relatively normally (you can't get into C:Users%username% until you reset, but a folder on the C: root will have the permissions as 'Everyone'.)
If you have a computer that is domain joined, things get quite harry. The extra SIDs that are domainusername likely require you to connect that *nix box to the LDAP service of the domain at a minimum. Even then, I have had trouble getting them to work smoothly.
I'm guessing from your screenshots that you don't have a domain there (computernameusername) so your issue is likely pseudo related to a need for an LDAP connection (SID syncing).
You could probably resolve this issue by either validating the permissions that are applied to the NTFS with a user that is synced to LDAP on your *nix box or standing up a Windows Server and connecting to that with LDAP or something like that. That is at least the path you want to drive down. =P
answered Apr 28 at 19:00
thelanrangerthelanranger
396
396
My domain isbjd2385.com
, so in the right window, such a user would bebjd2385Administrator
. Thanks for your reply!
– bd1251252
Apr 28 at 21:15
Ah, yes. If you're domain joined then your SID is not replicated to the disk with anything meaningful. It's just a SID. There's also much more complex permissions in NTFS than *nix can manage when you have a Windows domain. You need LDAP for syncing the SIDs and then you'll still want to actually SET the permissions on a box that is running Windows so that it propagates the permissions properly.
– thelanranger
Apr 29 at 0:03
add a comment |
My domain isbjd2385.com
, so in the right window, such a user would bebjd2385Administrator
. Thanks for your reply!
– bd1251252
Apr 28 at 21:15
Ah, yes. If you're domain joined then your SID is not replicated to the disk with anything meaningful. It's just a SID. There's also much more complex permissions in NTFS than *nix can manage when you have a Windows domain. You need LDAP for syncing the SIDs and then you'll still want to actually SET the permissions on a box that is running Windows so that it propagates the permissions properly.
– thelanranger
Apr 29 at 0:03
My domain is
bjd2385.com
, so in the right window, such a user would be bjd2385Administrator
. Thanks for your reply!– bd1251252
Apr 28 at 21:15
My domain is
bjd2385.com
, so in the right window, such a user would be bjd2385Administrator
. Thanks for your reply!– bd1251252
Apr 28 at 21:15
Ah, yes. If you're domain joined then your SID is not replicated to the disk with anything meaningful. It's just a SID. There's also much more complex permissions in NTFS than *nix can manage when you have a Windows domain. You need LDAP for syncing the SIDs and then you'll still want to actually SET the permissions on a box that is running Windows so that it propagates the permissions properly.
– thelanranger
Apr 29 at 0:03
Ah, yes. If you're domain joined then your SID is not replicated to the disk with anything meaningful. It's just a SID. There's also much more complex permissions in NTFS than *nix can manage when you have a Windows domain. You need LDAP for syncing the SIDs and then you'll still want to actually SET the permissions on a box that is running Windows so that it propagates the permissions properly.
– thelanranger
Apr 29 at 0:03
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964868%2fsmb-does-not-present-permissions-on-looped-up-raw-disk-image-backup-of-a-windo%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown