T 2.143 Information losses relating to copying or moving data on Samba shares

In many cases, Samba is used as a file server for Windows systems. Windows (Windows NT and higher) uses the New Technology File System (NTFS) by default as its file system. In contrast, Samba uses the file system of the underlying Unix operating system to manage the data. The file systems used by Windows and Unix differ greatly in some regards.

File systems used by Unix-like operating systems such as the third extended file system (ext3) or Journaling File System (JFS) are not able to reproduce certain NTFS properties. Samba is generally able to compensate for these differences, but in some cases, Samba cannot reproduce the properties of the NTFS file system objects directly. When moving or copying file system objects from one type of system to another (for example from a Windows XP system to a file share of a Samba server), some information may be lost under certain circumstances if the administrators are not aware of such effects.

The following information can be lost in such cases:

• Access Control Lists (ACLs)
• Alternate Data Streams (ADS)
• DOS attributes

Example 1: Access Control Lists (ACLs)

When moving file system objects from an NTFS partition on a Windows system to a Samba file share, the ACL entries may be lost. Before copying, the owner of the file has the NT authorisation "full access" and the "Everyone" group has the NT authorisation "read, execute". After the file is moved, the owner of the file still has the NT authorisation "full access", but the "Everyone" group does not have any rights to the file any more.

Example 2: Alternate Data Streams (ADS)

Windows XP (Service Pack 2 and higher) stores so-called "zone identifiers" in the ADS of a file. These zone identifiers allow you to detect files that were downloaded from the Internet (when downloading a file, Internet Explorer inserts the corresponding zone identifiers). Programs like Windows Explorer use this information to warn users when they want to execute a file downloaded from the Internet. If Internet Explorer saves the downloaded file on a Samba file share that does not record the ADS, then this information will be lost. In effect, a user will no longer be warned before trying to execute this potentially dangerous file.

Example 3: DOS attributes

The DOS "archive" attribute of a file is reset in Windows every time the file is written to. Backup programs can use this information for incremental backups. If a Samba file share does not take this DOS attribute into account, then the backup program might not generate a new backup for a changed file.