[Samba] Standalone with Windows ACL

Tercio Gaudencio Filho terciofilho at gmail.com
Fri Oct 6 15:31:30 UTC 2017 

I'm sorry for the delay, I got pretty busy down here.

First things first, it's working now, thanks!

I'll leave it here in case anyone is trying to do the same thing.

apt-get install samba smbclient samba-vfs-modules acl attr

smb.conf:

# Global parameters
[global]
workgroup = WORKGROUP
security = USER
server role = standalone server

log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
usershare path =
# Disable Printing
disable spoolss = Yes
load printers = No
printcap name = /dev/null
printing = bsd

map to guest = Bad User
obey pam restrictions = Yes
dns proxy = No
passdb backend = tdbsam
# Enable Win ACLs
store dos attributes = Yes
map acl inherit = Yes
vfs objects = acl_xattr

[MyShare]
path = /srv/samba/myshare
read only = No

I have to add "SeDiskOperatorPrivilege" right to the user that want to
manage permissions using Windows:

net rpc rights grant "UNIX_USERNAME" SeDiskOperatorPrivilege -U "root"

That's all!

Thanks again.

On Thu, Oct 5, 2017 at 4:11 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 04 Oct 2017 22:08:29 +0000
> Tercio Gaudencio Filho via samba <samba at lists.samba.org> wrote:
>
> > I'm configuring a standalone server(server role = standalone server)
> > using POSIX ACLs to manage permissions on server.
> >
> > I need to manage permissions(At least basic ones, like read, write)
> > from Windows GUI.
>
> Ah, so you don't want to use POSIX ACLs, you want to use Windows ACLs
>
> >
> > Is that possible using standalone?
>
> Yes
>
> >
> >
> > When I try setting permissions on Windows I got this on the log:
> >
> > [2017/10/04 19:07:08.437837,  2]
> > ../source3/smbd/posix_acls.c:3006(set_canon_ace_list)
> >   set_canon_ace_list: sys_acl_set_file type file failed for file
> > AD225.TXT (Operation not permitted).
> >
> > I issued grant on server(tercio is my username):
> >
> > net rpc rights grant "tercio" SeDiskOperatorPrivilege -U "root"
> >
> > My conf:
> >
> > # Global parameters
> > [global]
> > workgroup = SER-CAPITAL
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > panic action = /usr/share/samba/panic-action %d
> > usershare path =
> > map to guest = Bad User
> > obey pam restrictions = Yes
> > server role = standalone server
> > dns proxy = No
> > idmap config * : backend = tdb
> >
> > [MyShare]
> > path = /srv/samba/MyShare
> > read only = No
>
> You don't say what OS you are using, but on debian, you need to install
> the acl & attr packages.
>
> You need to be using a filesystem that understands ACLs, such as ext4
>
> You also need to add these lines to smb.conf:
>
> security = user
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> There is also a Samba wiki page about this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
Atenciosamente,

Tercio Gaudencio Filho

More information about the samba mailing list