[Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)

Jens Nissen jens.nissen at gmx.net
Thu Apr 12 18:06:21 GMT 2007

I cannot set rights on a arbitrary file or folder for the Windows
predefined group "Authenticated Users" (which has SID S-1-5-11) via
SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.

Everything else works:
- I can set rights for any other domain group.
- I can read the ACL entry for "Authenticated Users" in the Windows 2000
File Attribute Dialog if I set it manually with setfacl before
- I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
existence of this predefined group.

What am I doing wrong? Is this supposed to work?
Is there a workaround or any other suitable mapping for this group?

In the "Unofficial Samba + ACL Howto", there is a reference (chapter
3.1.4) that this might not work, but that was back in 2003 and 4 years
have passed since then.

Kind regards for any hint,


P.S: smb.conf output from testparm, nt acl support = Yes is also set
(testparm does not show it)

        dos charset = ISO-8859-1
        unix charset = ISO-8859-1
        display charset = ISO-8859-1
        workgroup = XXX
        realm = XXX.TEST
        security = ADS
        password server = xxx.xxx.test
        passdb backend = tdbsam
        guest account = samba
        name resolve order = host wins bcast
        idmap uid = 1000-60000
        idmap gid = 1000-60000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nss info = rfc2307
        ldapsam:trusted = Yes
        admin users = XXX\\Administrator
	ea support = Yes
        map acl inherit = Yes
        hide dot files = No
        map hidden = Yes
        map readonly = permissions
        dos filemode = Yes

        comment = Home Directories
        read only = No
        browseable = No
        preexec = mkdir -m 700 %P

        comment = ACL shared folder
        path = /export/shared
        read only = No
        create mask = 0777
        directory mask = 0777

More information about the samba mailing list