samba4 sysvol permissions?

Matthieu Patou mat at
Thu Sep 22 20:30:39 MDT 2011

Hi Jeff,
On 22/09/2011 15:14, Jeff Sadowski wrote:
> In windows there are two places for permissions. The share permissions
> and the permissions of the directory itself. I was looking at the
> documentation but didn't see anything in samba4 docs except about
> setting the user_xattr flag which I did. Do I use xattr properties
> against "windows domain" groups and users? on each directory?
I'm not sure I got you right.

In Samba4 (and samba 3.x with the xattr_acl module) we store NT acls as 
extended attributes (security.ntacls). You can dump it with getfattr -d 
-m "" <myfile>.
The best way to set ACLs for the moment is to do them in windows.

Once you've defined the acls as you want you can use samba-tool to 
affect acls on other files, you just have to specify the sddl of your 
acls, for instance:

./bin/samba-tool ntacl set 

Will set the NTACL for this folder to 

You can have more information about SDDL at

The best way to get a SDDL is to dump it on a folder/file where you know 
that you have set it the way you want.
For instance:
./bin/samba-tool ntacl get --as-sddl /tmp/p/sysvol

Will output

Trying without the --sddl will output something more user readable but 
it can't be reused.

Hope it makes (more) sense.

Matthieu Patou
Samba Team

More information about the samba-technical mailing list