[Samba] ACL

Clinton Mills Clinton at Hitcents.com
Thu Jan 29 17:21:38 GMT 2009

Hi samba group,


I'm trying to get samba to act like Windows in the Security tab (to be able
to add, remove, and modify ACLs on certain files/folders). We are running
Centos 5.2 (2.6.18-92.1.22.el5) with XFS installed for the /share partition.


I currently have these versions of samba installed:




I am pretty sure the ACL is all setup and working correctly. I can maintain
ACL from Linux and I can even see them in the security tab for windows. I
can also remove users from the security tab in Windows.


These are the things I need help with

.         When I try and add a user it ask me for a username and password. I
cannot get this to accept my password.

.         When I first load up the security tab it shows a long number
"S-1-5-21-..." This screen takes a while to change these numbers to names.
Is there a way to speed this up?

.         Is there a way to restrict people from adding them self to
files/folder they do not have access to?


I have looked all over and cannot find clear instructions on how to set ACL
up in a user environment. If you could point me to one of these documents
that would be very helpful.


We currently have Samba setup to work without a domain. I have read on other
websites that this is not a good idea:


One problem with Samba ACL support is that listing users to use for access
control entries (ACEs) within ACLs can be troublesome. Specifically, if
you're using Samba in a standalone mode (i.e., configured with "user"
security mode), Windows 2000 and Windows XP users might not be able to
consistently list Samba users when configuring an ACL.


We really don't have the option of doing a PDC. Is this a bad idea to try
and get this to work without using PDC?


smbd -b | grep ACL









passdb backend = tdbsam


add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/groupmod -A %u %g

delete user from group script = /usr/sbin/groupmod -R %u %g

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u


security = user

encrypt passwords = yes


preferred master = Yes

domain master = Yes

domain logons = Yes


debuglevel = 3 


workgroup = Workgroup

workgroup = temp

netbios name = hitsnap

bind interfaces only = True

interfaces = eth1 lo


max disk size = 990000   ;some programs (like PS7) can't deal with more than


allow hosts =

socket options = TCP_NODELAY

server string = Hitsnap

smb ports = 139


syslog = 0

log level = 2 

log file = /var/log/samba/log.%m


vfs objects = recycle


client ntlmv2 auth = yes

;recycle:repository = .recycle

;recycle:keeptree = Yes

;recycle:versions = Yes

;recycle:touch = Yes



path = /var/lib/samba/netlogon

read only = yes





read only = no

browseable = no




path = /share/hdrive/share1

read only = no

browseable = yes

writable = yes

admin users = admin1

valid users = admin1

public = no

create mask = 0777

directory mask = 0777

nt acl support = yes

acl map full control = yes


dont descend = .recycle



Clinton Mills


More information about the samba mailing list