[Samba] Request for ACL experiences

Paul Eggleton paule at cjntech.co.nz
Wed Oct 29 20:57:45 GMT 2003

Douglas Phillipson wrote on Thursday, 30 October 2003 9:14 a.m.:
> I'm having trouble with ACL's and wonder how many others are too.  I
> see conflicting answers and comments about different aspects of ACL's
> from many prople on the list.  I was wondering if ANYONE is
> successfully using ACL's with Samba 3.0 or above.

Yes, we are. Our Red Hat 9 based Samba server is acting as a general
purpose file server for a Windows 2000 Active Directory domain.

> Was your Samba server configured as the DC?

No, our DC is running Windows 2000 Server SP3.

> What client OS were you setting ACL's on the Samba Share with?
> (Win2000, XP) What service pack (SP4 on Win2000???)

Windows 2000 Server SP3.
> Did you have to have the ACL kernel patch?

Yes, if you wish to use ACLs on ext2/ext3. XFS is supposed to have
support already, though I have not tried it so I really don't know for

> Did you need "nt acl support = yes" in each share definition?

No. This option defaults to yes anyway, so you should not need to
specify it at all.

> How did you setup your shares? (Working share Examples are good)

Here's an example:

    comment = Media files
    path = /mnt/media
    public = yes
    writable = yes
    create mask = 0774
    directory mask = 0774
    inherit acls = yes
    admin users = Administrator

You need "winbind use default domain = yes" set in your smb.conf for the
"admin users" option to work as specified above.

Note that the exact options you use are highly dependent on what you
want to use the share for. I would strongly recommend you read the
relevant parts of the Samba 3 Howto collection, as well as the share
options documentation in the smb.conf manpage.
> Did you have to use the "server Tools" downloaded from microsoft or
> could you simply right click on a file/folder and change the security
> ACL's? 

You can just use the normal permission editing (right

> How are you verifying the ACL's actually work?  Did you fully test any
> ACL you set through Windows by actually trying to make a user access a
> file to see that his access matched the ACL you set.

Yes, they do work.

> What didn't work with ACL's that you thought should?

Well, Samba can only provide to Windows what is available through POSIX
standard ACLs, which means read, write, execute access bits for the
owner, the group, and all others (the latter represented by "Everyone"
in Windows), plus the same for each ACE. The extended permission types
provided by Windows are not fully supported and this can't really be
fixed at this time, because there is no equivalent functionality in
Unix. In addition, Samba has to fit the normal DOS attributes into the
Unix permissions as well, so you may see odd things happening at the
Windows end. It does work, but the sooner you understand these two
limitations, the better you will understand what is going on when you
try to set permissions from Windows.

Nested groups do not work. If domain user X is a member of domain group
A, and A is a member of domain group B, X will not be seen as a member
of B by Samba even though they will be by Windows.
> Are you compareing the windows ACL's to the output of getfacl?

Yes, they are the same, once you understand how the mapping works.
> Could you use ACL's to add users to Samba printers?
> How did you add Samba printers as Domain resources so you could add
> ACL's to them?  Or did you need to do this?
No idea, I have not tried either.

> Did you have to do any setfacl commands in Linux?


> Did you have to run winbind?


> Did you have to do any "net groupmap" commands to make ACL's work?


> Were there any commands/configurations you had to use to make ACL's
> work that were not covered in the 3.0 HowTo?

Not that I'm aware of, although it does not discuss enabling ACLs in the
file system last time I checked (I suspect because this is Linux

BTW I have written an unofficial Samba+ACL Howto of sorts which may make
things a little clearer. If you have any suggestions for that Howto
(which is a little out of date, I admit) please let me know.



More information about the samba mailing list