SMB does not present permissions on looped up raw disk image / backup of a Windows NTFS volume

Posted on

SMB does not present permissions on looped up raw disk image / backup of a Windows NTFS volume – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about SMB does not present permissions on looped up raw disk image / backup of a Windows NTFS volume was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, windows, permissions, samba, .

I have a raw copy of a Windows NTFS volume on my Linux machine. When I loop it and share it out on a domain-joined Linux machine via Samba as-follows —

        workgroup = <my-domain>
        realm = <>
        server string = %h (backups)
        security = ADS                         
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
        unix password sync = Yes
        restrict anonymous = 1
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        allow insecure wide links = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000 - 20000
        idmap gid = 10000 - 20000
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap config * : range = 10000 - 20000
        idmap config * : backend = tdb
        map acl inherit = Yes
        path = /datto/mounts/TestShare
        valid users = nobody
        read only = No
        create mask = 0755
        force create mode = 0755
        force directory mode = 0755
        veto files = /lost+found/.locate.db
        dfree command = /datto/bin/dfree-runner

There are no longer permissions associated with the block device (left — right, original).

left -- no permissions on share. right -- original permissions.

On the other hand, mounting an iSCSI target of that same volume shows the original permissions.

Is it possible to serve these original permissions / securities over SMB? If so, is there something I can add or modify in my configuration of this share?

I’m not exactly sure why this happens but NTFS permission do not translate to *nix very well. I’m pretty sure that the on disk permissions that NTFS (5.0) uses are MUCH more complicated than what SAMBA reads.
In my experience with connecting something like MacOS or BSD/FreeNAS to a device with NTFS on it, if you have a disk that has permissions applied that are for a non-domain joined computer and it is an OS disk, it will generally appear to work relatively normally (you can’t get into C:Users%username% until you reset, but a folder on the C: root will have the permissions as ‘Everyone’.)
If you have a computer that is domain joined, things get quite harry. The extra SIDs that are domainusername likely require you to connect that *nix box to the LDAP service of the domain at a minimum. Even then, I have had trouble getting them to work smoothly.

I’m guessing from your screenshots that you don’t have a domain there (computernameusername) so your issue is likely pseudo related to a need for an LDAP connection (SID syncing).
You could probably resolve this issue by either validating the permissions that are applied to the NTFS with a user that is synced to LDAP on your *nix box or standing up a Windows Server and connecting to that with LDAP or something like that. That is at least the path you want to drive down. =P

Leave a Reply

Your email address will not be published. Required fields are marked *