samba4 sysvol permissions?

Jeff Sadowski jeff.sadowski at
Wed Oct 12 13:22:56 MDT 2011

On Thu, Sep 22, 2011 at 8:30 PM, Matthieu Patou <mat at> wrote:
> Hi Jeff,
> In Samba4 (and samba 3.x with the xattr_acl module) we store NT acls as
> extended attributes (security.ntacls). You can dump it with getfattr -d -m
> "" <myfile>.
> The best way to set ACLs for the moment is to do them in windows.
> Once you've defined the acls as you want you can use samba-tool to affect
> acls on other files, you just have to specify the sddl of your acls, for
> instance:
> ./bin/samba-tool ntacl set
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>  /tmp/p/sysvol/mydir
> Will set the NTACL for this folder to
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU).
> You can have more information about SDDL at
> The best way to get a SDDL is to dump it on a folder/file where you know
> that you have set it the way you want.
> For instance:
> ./bin/samba-tool ntacl get --as-sddl /tmp/p/sysvol
> Will output
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
> Trying without the --sddl will output something more user readable but it
> can't be reused.
> Hope it makes (more) sense.
> --
> Matthieu Patou
> Samba Team

Ok I finnaly got around to playing with this and here are the results.
I logged into the windows 2003 server that is my pdc and looked at the
permissions of the sysvol directory
I copyed all the permissions to my linux sysvol directories
then as you suggested I ran the following

 sbin/samba-tool ntacl get --as-sddl

it output as follows


next I tried the set command (I first tried it without quotes but it
was complaining so I added them) to set the permissions of the base
directory the same.

sbin/samba-tool ntacl set

now I get the error
Unknown parameter encountered: "secrets database"

Any clue as how to fix this error?

More information about the samba-technical mailing list