How to work with shares on s4?

Andrew Bartlett abartlet at
Wed Oct 3 20:31:01 MDT 2012

On Mon, 2012-09-24 at 12:15 +0200, Marc Muehlfeld wrote:
> Hello,
> a big question for me since switching to s4 is: How do I create a new share?
> I create a folder with default permissions:
> drwxr-xr-x 2 apache root 4096 24. Sep 10:58 /srv/samba/Test/
> Then I add the following to smb.conf and restarted samba:
> [test]
>     path = /srv/samba/Test
>     read only = No
> Now the share is visible on windows and I can read/write as domain 
> administrator on it. All others have only read access by default.
> What I need to configure now: The folder should be owned by the local unix 
> account 'apache' on the s4 host. Also the group "Systemadministration" should 
> be granted 'change' permission (read/write/execute) on the whole share. I 
> tried to do this the following way:
> - Log into a workstation of the domain as domain admin
> - Open 'computer management' from the 'administrative tools', connect to my s4 
> server and go to 'shares'
> - I right-click on my 'test' share, choose 'properties' and go to the tab 
> 'share permissions'.
> - There I remove 'everyone' (with full access), add the group 
> 'systemadministration' with 'change' permissions and click apply.
> - I switch to the 'security' tab and remove 'unknown account (S-1-22-2-0)' and 
> 'everyone'. The S-1-22-1-48 (48 is the UID of the 'apache' account) is already 
> there with full access.
> - I add the group 'Systemadministration', mark 'change' as permission and 
> click 'apply'.
> The result of this is:
> - After I clicked 'apply', the group 'systemadministration' doesn't show 
> 'change' permission any more. It's set to 'full access'. Also 'creator' (full 
> access) and 'creator group' (none) was added automatically. Also 'everyone' 
> (none) and 'unknown account (S-1-22-2-0)' (none) are back in the list.
> - As a member of the 'Systemadministration' group I can read and create files 
> on the share. But I can't change/rename/delete them. Is this a bug? Or did I 
> setup it wrong?

This certainly seems odd, but I don't know this area very well.
Remember that you need to set the ACL on the folder as well as any share
ACL.  (The need to set both is why share ACLs are not used as often). 

> And two more questions about shares:
> - When I want to delete a share: Do I just have to remove the entry from 
> smb.conf and the registry entries (like share permissions,...) are removed 
> automatically?

Yes, just remove the smb.conf.  I don't think anything goes away
automatically, but it is in-operative. 

> - Does 'force user/group' work on s4?

Yes, it should.

> I'm currently running rc1.


Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list