[Samba] samba 3.5.5 and ACL mod

suresh.kandukuru at emc.com suresh.kandukuru at emc.com
Wed Sep 29 03:22:47 MDT 2010

ensure that 
nt acl support= yes
dos filemode= yes 

for a given share in smb.conf

and  for mmc access assign SeDiskOperatorPrivilege to the samba users

/usr/local/sama/bin/net  sam rights  grant "samba username" SeDiskOperatorPrivilege

if it is in domain 
/usr/local/sama/bin/net  sam rights  grant domain\\username SeDiskOperatorPrivilege

Hope this helps


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Sebastian.Perkins at swisscom.com
Sent: Wednesday, September 29, 2010 2:01 PM
To: drescherjm at gmail.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] samba 3.5.5 and ACL mod

>>On Tue, Sep 28, 2010 at 12:14 PM,  <Sebastian.Perkins at swisscom.com> wrote:
>>> We are in the middle of testing debian squeeze 64 bits with samba 3.5.5 >>and are running into some questions:
>>> 1) Is this solution OK with windows 7 "out of the box" (ie no >>hacking/modifications to do on the pc) ? I have tested it seems so but I >>would like a confirmation.
>>You still need the registry change from here:

We are using security=user to challenge local passwords and not a domain (maybe later...).

>> >
>> > 2) Despite massive googling, I have not found a correct smb.conf >> >> >> configuration to change ACL statuses on shares (or even subfolders/files) >> via a windows based mmc (xp or vista). Yes, the IT people are not into >> >> SWAT or Webmin. It is stated possible. Are there any pointers or special >> issues I have missed with this version?
>> >
>> You need idmap to work for acls to even begin to work as you expect.
>> You also need either acls enabled in the host filesystem and / or use
>> the  acl_xattr module.

Testbed is using xfs so what I understand it that acls are already embedded. Later we will use nfs shares, at this time in v3 which must be updated to v4 for acls.

Do I still need idmap in this situation ? the doc seems quite domain oriented with this sort of config.

My goal is to permit acl based on the local unix users (just created by useradd and smbpasswd -a).


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list