[Samba] Setup and configure file shares with Windows ACLs

Henrik Langos hlangos-samba at innominate.com
Wed Jun 25 07:25:37 MDT 2014

On 06/25/14 14:21, steve wrote:
> On Wed, 2014-06-25 at 13:57 +0200, Henrik Langos wrote:
>> When reading the wiki page about setting up new shares there is some
>> information missing.
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>> The information I am missing most here is which posix.1 ACLs to set
>> after creating the shares directory.
>> There is only
>> # mkdir -p /srv/samba/Demo/
>> but on my system that will create a directory that is owned by root:root
>> and have 0755 permissions.
>> Not very helpful as trying to configure the Windows ACLs later gets a
>> "permission denied" error.
> If you want to use this method, you must map the user who us
> manipulating the security tab to root on the file server.

I don't like that approach as it changes the mapping for that user
and thus his access to every other file on that server.

Also: Imagine you have to set up a share for a customer support
department and the the support manager (or rather his more
tech savvy intern) should manage the access to their share.

I wouldn't want to map the support manager (let alone an
intern) to root on my file server,  not even temporarily,
would you? :-)

> The easiest way to create the acls is to have winbind running on the
> file server and use the names of the domain objects themselves to
> prepare the initial permissions on the share. Once you're in _then_
> change anything fancy you may need in windows.

Thats what I am trying to do.

I see two ways to get there:

A) Set the initial posix.1 user:group and permissions as close as
possible to the intended result and only make some necessary changes
to the ACLs using windows.

B) Set those initial permissions to a minimum ( rwx------ root:root ??
and manually add the extended ACLs with "setfacl" so that you
can take over management of the ACLs with windows.

I have tried out some things and it seems that samba will not chown or 
a directory once it is created. So even if in windows I take away the 
access to a
directory from "Domain Users" and give it to "Domain Admins", the 
posix.1 group of
that directory will still be "Domain Users". And in the plain "ls -l" 
view the group will
still have "rwx" permissions. Only if I look into the extended ACLs, I 
can see that
"Domain Users" have "---" permissions.

Now the following scenario makes me think that A might be a bad idea.

If I set the initial posix ownership to some numeric user:group that is 
known to windows, then I delete the user and group in windows and later
create a new user and group that happen to get the same mapping, those
new user and group would inherit the old files, wouldn't they? This is 
the the same as in Linux if you reuse a uid number, but in Linux I have 
at least
a better "feeling" of control about that mapping process.

Or maybe I am just too paranoid :-)


More information about the samba mailing list