[Samba] File share permissions act different on member server than on DC

steve steve at steve-ss.com
Mon Oct 14 00:43:26 MDT 2013

On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote:
> Hello,
> a while ago I wrote the 
> http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo.
> When I wrote the HowTo, I setup and configured the share on a DC - what 
> still works like described. Today I tried the first time to do exactly 
> the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there.
> The share in smb.conf:
> [demo]
>     path = /srv/samba/Demo
>     read only = no
> The folder in the filesystem (XFS):
> drwxr-xr-x   2 root root        6 13. Okt 22:16 /srv/samba/Demo
> I connect to the share as Domain Admin, right-click to it and go to the 
> "security" tab. Here I see now "everyone" and two "root" entries.
> - I click the "edit" button and remove the two "root" entries. When I 
> click "apply", everything is reset (the two entries went back".
> - If i grant "modify" to "everyone" - where all "allow" entries are 
> empty per default and click "apply", then all boxes are checked 
> automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP" 
> appear. And this two can't be removed as well any more.
> If I do exactly the same on a DC, then already the security tab shows on 
> the first time I open it very different settings. The wiki screenshot 
> shows them: 
> http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But 
> the folder on Linux side is also just 755 (and without any extended ACLs 
> when I begin). Also whatever I change (like remove "root" from the ACLs) 
> everything is done like expected and saved.
> The member server is also self compiled. I installed all packages on my 
> RHEL6 that I have installed on the DC too.
> Any idea what could be different on a 4.x member than on a DC? Or did I 
> find a bug?
> Regards
> Marc

It looks like that on the DC, Administrator already has admin
permissions on the share (like root in Linux) but on a file server he
doesn't. You have to specify Administrator as an admin user or give him
full posix rights on the share using setfacl.

Summary.mAdministrator behaves as:
DC: like root on a Linux box
File server: a normal unprivileged domain user

I think the file server is correct. Windows doesn't have a user like

More information about the samba mailing list