[Samba] samba 3.5.5 and ACL mod

Sebastian.Perkins at swisscom.com Sebastian.Perkins at swisscom.com
Wed Sep 29 08:18:10 MDT 2010

Thank you all for your feedback.

This is what I have done

Installed acl
Mounted xfs partition with acl option on /home

For the share I have:

   path = /home/testshare
   nt acl support = yes
   dos filemode= yes
   writeable = yes
   valid users = boss,x,y,z
   admin users = boss
   inherit permissions = yes
   store dos attributes = yes
   map acl inherit = yes
   inherit permissions = yes
   store dos attributes = yes
   inherit acls = Yes
   ea support = yes

for each "useradd" there is a smbpass -a

net sam rights grant "boss" SeDiskOperatorPrivilege

mmc... works !

Only one question remains, if I add a user to unix/samba it does not appear in the share acl even if I add it to "valid users".

I have to add the user to the share with

setfacl -m u:newuser:r /home/testshare

And then change anything I need with mmc.

Is there a way around this ?

Best Regards,

Sebastian Perkins
Systems Developer Engineer

-----Original Message-----
From: suresh.kandukuru at emc.com [mailto:suresh.kandukuru at emc.com] 
Sent: mercredi 29 septembre 2010 11:23
To: Perkins Sebastian, SH-SYS-GRP (EXT); drescherjm at gmail.com
Cc: samba at lists.samba.org
Subject: RE: [Samba] samba 3.5.5 and ACL mod

ensure that 
nt acl support= yes
dos filemode= yes 

for a given share in smb.conf

and  for mmc access assign SeDiskOperatorPrivilege to the samba users

/usr/local/sama/bin/net  sam rights  grant "samba username" SeDiskOperatorPrivilege

if it is in domain 
/usr/local/sama/bin/net  sam rights  grant domain\\username SeDiskOperatorPrivilege

Hope this helps


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Sebastian.Perkins at swisscom.com
Sent: Wednesday, September 29, 2010 2:01 PM
To: drescherjm at gmail.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] samba 3.5.5 and ACL mod

>>On Tue, Sep 28, 2010 at 12:14 PM,  <Sebastian.Perkins at swisscom.com> wrote:
>>> We are in the middle of testing debian squeeze 64 bits with samba 3.5.5 >>and are running into some questions:
>>> 1) Is this solution OK with windows 7 "out of the box" (ie no >>hacking/modifications to do on the pc) ? I have tested it seems so but I >>would like a confirmation.
>>You still need the registry change from here:

We are using security=user to challenge local passwords and not a domain (maybe later...).

>> >
>> > 2) Despite massive googling, I have not found a correct smb.conf >> >> >> configuration to change ACL statuses on shares (or even subfolders/files) >> via a windows based mmc (xp or vista). Yes, the IT people are not into >> >> SWAT or Webmin. It is stated possible. Are there any pointers or special >> issues I have missed with this version?
>> >
>> You need idmap to work for acls to even begin to work as you expect.
>> You also need either acls enabled in the host filesystem and / or use
>> the  acl_xattr module.

Testbed is using xfs so what I understand it that acls are already embedded. Later we will use nfs shares, at this time in v3 which must be updated to v4 for acls.

Do I still need idmap in this situation ? the doc seems quite domain oriented with this sort of config.

My goal is to permit acl based on the local unix users (just created by useradd and smbpasswd -a).


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list