[Samba] Samba 4 as NT4-style PDC on Ubuntu Trusty 14.04

Klaus Hartnegg hartnegg at gmx.de
Fri May 16 02:10:17 MDT 2014

On 16.05.2014 09:37, mourik jan heupink - merit wrote:
> As far as I know, samba4 can behave _exactly_ like samba3, if you don't
> configure it to use Active Domain. So, it should (as far as I know)
> basically be a up-t-date drop-in replacement for samba3, as long as you
> don't change your smb.conf.

I am also using Samba 4.1.6 of Ubuntu 14.04 as NT4-style domain 
controller. Works great!

As far as I remember I had to edit smb.conf to contain "server role = 
classic primary domain controller", and add "acl allow execute always = 
true", or set the x-bit on executable files (or all files). Also Ubuntu 
14.04 does not have the group 'nobody' any more, so I had to switch to 

I followed this description:

Hint: If you have xattr support in the Linux filesystem, it is very 
advisable to not do chown or setfacl in Linux, but instead set the 
permissions in Windows (scriptable with icacls). This is much more flexible.

If you don't know the strange syntax of icacls, you can use the script 
below. It can be used like
setacl.cmd s:\subdir root:admin sales:write finance:read
All rights are inherited to subdirectories.
To stop inheritance in one place: icacls s:\dir\subdir /inheritance:r
To clear all permissions for a clean start: icacls s:\ /t /c /reset

Unfortunately for a huge directory tree icacls on a client takes 30 
minutes for what setfacl can do on the server in 30 seconds.

---- setacl.cmd ----
@echo off
set dir=%~1
for /f "delims=: tokens=1-2" %%i in ("%2") do set who=%%i& set def=%%j
set right=
if "%def%"=="list"  set right=(ci)rx
if "%def%"=="read"  set right=(ci)(oi)rx
if "%def%"=="write" set right=(ci)(oi)m
if "%def%"=="admin" set right=(ci)(oi)f
if "%right%"=="" goto error
if errorlevel 1 verify>nul
echo icacls %dir% /grant %who%:%right%
rem  icacls %dir% /grant %who%:%right%
if errorlevel 1 goto error
goto cont
echo ### ERROR in setacl %dir% %who%:%def%
echo %date% %time:~0,8% ERROR in %dir% %who%:%def%>> setacl.log
if not "%2" == "" goto loop
---- setacl.cmd ----

hope this helps,

More information about the samba mailing list