samba4 sysvol permissions?

Jeff Sadowski jeff.sadowski at
Mon Sep 26 16:06:35 MDT 2011

On Thu, Sep 22, 2011 at 8:30 PM, Matthieu Patou <mat at> wrote:
> Hi Jeff,
> On 22/09/2011 15:14, Jeff Sadowski wrote:
>> In windows there are two places for permissions. The share permissions
>> and the permissions of the directory itself. I was looking at the
>> documentation but didn't see anything in samba4 docs except about
>> setting the user_xattr flag which I did. Do I use xattr properties
>> against "windows domain" groups and users? on each directory?
> I'm not sure I got you right.
Looks like you got a good portion of it
Below should be equivalent to the security tab. What about the sharing
tab's permissions
where you select users and Full, change, read permissions
how do you select that ..... is this implemented yet? .... It should
be something that you put in the smb.conf file but the only thing I
see by default there is the readonly =[yes|no] option.

> In Samba4 (and samba 3.x with the xattr_acl module) we store NT acls as
> extended attributes (security.ntacls). You can dump it with getfattr -d -m
> "" <myfile>.
> The best way to set ACLs for the moment is to do them in windows.
this works under sysvol to a point I can't match the special
permissions under CREATOR OWNER user
not sure how that is fully set on my windows machine.

> Once you've defined the acls as you want you can use samba-tool to affect
> acls on other files, you just have to specify the sddl of your acls, for
> instance:
> ./bin/samba-tool ntacl set
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
>  /tmp/p/sysvol/mydir
> Will set the NTACL for this folder to
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU).
> You can have more information about SDDL at
> The best way to get a SDDL is to dump it on a folder/file where you know
> that you have set it the way you want.
> For instance:
> ./bin/samba-tool ntacl get --as-sddl /tmp/p/sysvol
> Will output
> O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
> Trying without the --sddl will output something more user readable but it
> can't be reused.
> Hope it makes (more) sense.
> --
> Matthieu Patou
> Samba Team

More information about the samba-technical mailing list