As permissões são definidas como no servidor e são 100% dependentes da ACL.
Você tem duas opções para tentar resolver seu problema.
1ª opção (que pode ser mais adequada às suas necessidades): tente mapear / combinar ACLs do Windows e Unix.
Edite o arquivo smb.conf do servidor SMB e adicione esses parâmetros à seção [global] :
[global]
nt acl support = yes
acl map full control = no
Os dois parâmetros acima farão com que o servidor SMB tente mapear / combinar ACLs do Windows e Unix.
Na% man_de% manpage:
nt acl support (S)
This boolean parameter controls whether smbd(8) will attempt to map UNIX permissions into Windows NT access control lists. The UNIX permissions considered are the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories.acl map full control (S)
This boolean parameter controls whether smbd(8) maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and execute.
2ª opção (solução alternativa): defina ACLs específicos para cada um dos seus compartilhamentos.
Em poucas palavras, os parâmetros RWX (leitura, gravação e execução) são definidos por esses parâmetros SMB equivalentes:
-
smb.confé equivalente a R (somente leitura) -
writeable = noé equivalente a RW (ler e escrever) -
writeable = yesouacl allow execute always = trueé equivalente a X (executar)
Para definir permissões de arquivo / pasta para todos os seus compartilhamentos, é necessário editar o arquivo acl allow execute always = yes do servidor e adicionar essa configuração global:
[global]
acl allow execute always = false
guest ok = no
writeable = yes
available = yes
browseable = yes
printable = no
locking = yes
... que por padrão força todas as suas pastas compartilhadas a proibir a execução de arquivos ( smb.conf ), proíbe o acesso de convidados ( acl allow execute always = false ), permite ler e editar / (re) gravar o acesso a arquivos e pastas ( guest ok = no ), disponibilize todos os seus compartilhamentos para uso dos usuários remotos (cliente) ( writeable = yes ) e torne os compartilhamentos disponíveis visíveis ( available = yes ), proíba o uso de seus compartilhamentos como um diretório de impressão em spool ( browseable = yes ) e forçar o bloqueio de seus compartilhamentos se o cliente enviar tal solicitação para o servidor SMB ( printable = no ).
Na% man_de% manpage:
acl allow execute always (S)
This boolean parameter controls the behaviour of smbd(8) when receiving a protocol request of "open for execution" from a Windows client. With Samba 3.6 and older, the execution right in the ACL was not checked, so a client could execute a file even if it did not have execute rights on the file. In Samba 4.0, this has been fixed, so that by default, i.e. when this parameter is set to "False", "open for execution" is now denied when execution permissions are not present. If this parameter is set to "True", Samba does not check execute permissions on "open for execution", thus re-establishing the behaviour of Samba 3.6. This can be useful to smoothen upgrades from older Samba versions to 4.0 and newer. This setting is not meant to be used as a permanent setting, but as a temporary relief: It is recommended to fix the permissions in the ACLs and reset this parameter to the default after a certain transition period.
Nota: se locking = yes não funcionar, tente smb.conf .
guest ok (S)
If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account. This parameter nullifies the benefits of setting restrict anonymous = 2 See the section below on security for more information about this option.writeable (S)
Inverted synonym for read only.read only (S)
An inverted synonym is writeable. If this parameter is yes, then users of a service may not create or modify files in the service's directory. Note that a printable service (printable = yes) will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations.available (S)
This parameter lets you "turn off" a service. If available = no, then ALL attempts to connect to the service will fail. Such failures are logged.browseable (S)
This controls whether this share is seen in the list of available shares in a net view and in the browse list.printable (S)
If this parameter is yes, then clients may open, write to and submit spool files on the directory specified for the service. Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The read only parameter controls only non-printing access to the resource.locking (S)
This controls whether or not locking will be performed by the server in response to lock requests from the client. If locking = no, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking. If locking = yes, real locking will be performed by the server. This option may be useful for read-only filesystems which may not need locking (such as CDROM drives), although setting this parameter of no is not really recommended even in this case. Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption. You should never need to set this parameter.