[Samba] Set ACLs on Samba share from Windows

Gaiseric Vandal gaiseric.vandal at gmail.com
Sun Jul 4 18:26:47 MDT 2010

It works for me -  Solaris 10, ZFS file system, configured as a PDC or BDC

#testparm -v | grep "acl "

        acl compatibility = auto
        acl check permissions = Yes
        acl group control = No
        acl map full control = Yes
        force unknown acl user = No
        nt acl support = Yes
        map acl inherit = No

If you are on linux, ext3 and ext4 should support acl's.  

Can you use "setfacl" to change permissions on a file on the unix level
using the uid of a domain user?    
Can you, in windows, set permissions for someone defined as a local user?
That might indicated if the problem is really with ACL's or if the problem
is with winbind retrieving users from the domain controller.  (Although
getent seems to indicate that that winbind is not the problem.)

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Dadoo
Sent: Saturday, July 03, 2010 3:46 AM
To: samba at lists.samba.org
Subject: [Samba] Set ACLs on Samba share from Windows

I can't seem to verify whether or my first attempt at sending this 
message was successful, so I'm reposting it, using a different method. I 
apologize if anyone has seen it already.

I have a Samba server, joined to my Windows Active Directory domain, and 
I'm having a problem setting ACLs on a share from Windows. On Windows, I 
get the error message "Unable to save permission changes on <folder>. The 
parameter is incorrect." and when I look in my Samba log, I see the 
message "ACL is invalid for set (Invalid argument)".

"getent passwd" and "getent group" return both local and AD users and 
groups, respectively.

Here are the relevant lines from my smb.conf:

        workgroup = <My domain>
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = 3 winbind:10 acls:10
        security = ads
        realm = <My domain>.LOCAL
        encrypt passwords = yes
        idmap uid = 2000-10000
        idmap gid = 2000-10000
        winbind enum groups = yes
        winbind enum users = yes
        wins server =
        load printers = no
        cups options = raw
        comment = Home Directories
        browseable = no
        writable = yes
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes
        comment = Test share for PaperPort images
        path = /u1/images
        admin users = <My domain>\<user1> <My domain>\<me>
        public = yes
        writable = yes
        browseable = yes

I'm sure I'm missing something minor, but I can't figure out what it is. 
Anyone have any ideas?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list