[Samba] how to define new folders ACL

Wed Sep 24 06:13:43 MDT 2014

the unix permissions were already correct
administrator:domain users

the problem was with ACLs so by setting with setfacls default:xxxx I 
shaped the way the new folders will be under the whole tree.
tested with a random user in creating a folder and the defaults were 
applies (domain users RWX)... so seems ok

just for understanding better, what do you mean by setting xattr 
inheritance? how can I do that?

Lorenzo Faleschini
IT Manager @ Nord Est Systems srl
----------------------------------------
m: +39 335 6055225 | skype: falegalizeit

Il 24/09/2014 14:02, Sébastien Le Ray ha scritto:
> Oh… Yes, the other workaround for this is to chown the whole tree to 
> you and then adjust ACL through windows UI.
> Here, your setacl doesn't set the xattr forcing inheritance so I guess 
> you could run into troubles later on.
>
> Le 24/09/2014 12:05, Lorenzo Faleschini a écrit :
>> the problem was that on the new folders created by users Domain 
>> Administrator had no pivileges.
>> so I was denied the access to those folders as admin (to set Inherit 
>> ACLs)
>>
>> so I had to manually set those with setfacl
>>
>> the problem came because I rsynced the shares from old samba server 
>> and did not set the default ACL before rsyncing, so the ACL thing was 
>> on the wild.
>>
>>
>> Lorenzo Faleschini
>> IT Manager @ Nord Est Systems srl
>> ----------------------------------------
>> m: +39 335 6055225 | skype: falegalizeit
>>
>> Il 24/09/2014 11:56, Sébastien Le Ray ha scritto:
>>> Hi,
>>>
>>> Or you can just check the "Inherit ACLs" in windows security tab…
>>>
>>> Regards
>>>
>>> Le 24/09/2014 11:43, Lorenzo Faleschini a écrit :
>>>> i reply to myself for future reference
>>>>
>>>> I logged in as root on the member server and set recursively the 
>>>> ACL defaults with setfacl (so the newly created folders came with 
>>>> this mask)
>>>>
>>>> Default Owner (Read Write Execute):
>>>> default:u:administrator:rwx
>>>> Default Group (Read Write Execute):
>>>> default:g:'domain users':rwx
>>>>
>>>> then forced the ownership and group of the actual directories
>>>> Set Owner (Read Write Execute)
>>>> u:administrator:rwx
>>>> Set Group (Read Write Execute)
>>>> g:'domain users':rwx
>>>>
>>>> in one command:
>>>>
>>>> setfacl -R -m default:g:'domain users':rwx,g:'domain 
>>>> users':rwx,default:u:administrator:rwx,u:administrator:rwx 
>>>> /PATH/TO/SHARES/
>>>>
>>>>
>>>>
>>>>
>>>> Lorenzo Faleschini
>>>> IT Manager @ Nord Est Systems srl
>>>> ----------------------------------------
>>>> m: +39 335 6055225 | skype: falegalizeit
>>>>
>>>> Il 23/09/2014 12:53, Lorenzo Faleschini ha scritto:
>>>>> Hi folks,
>>>>>
>>>>> I've a working samba 4.1 DC + a 4.1 member server, winbind and UID 
>>>>> GID working
>>>>> I have all the shares on member server, and the UNIX permissions 
>>>>> are set to 770 Administrator:DomainUsers. To rule other 
>>>>> permissions I generally use the Security TAB ACLs.
>>>>>
>>>>> my problem is:
>>>>> when a user create a new subfolder only he can access to it (and 
>>>>> no other from DomainUsers), unless I change the ACL manually.
>>>>> is there an option to set somewhere to mantain parent folder's ACLs?
>>>>>
>>>>> thanks
>>>>>
>>>>>
>>>>> -- 
>>>>>
>>>>> Lorenzo Faleschini
>>>>> IT Manager @ Nord Est Systems srl
>>>>> ----------------------------------------
>>>>> m: +39 335 6055225 | skype: falegalizeit
>>>>
>>