[Samba] Windows Admin user can't change Permission.

Jason Long hack3rcon at yahoo.com
Tue Feb 17 06:49:11 MST 2015

According to the "https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs", I run my Samba share but can't add permission to directory via admin user or other users that are administrator.
My samba config is :

workgroup = JASONDOMAIN
security = ADS
netbios name = printmah

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map


winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes

## map id's outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config JASONDOMAIN : backend = rid
idmap config JASONDOMAIN : range = 10000-999999

wins server =,,

domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to set 
username map = /etc/samba/user.map

# For ACL support on member server
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
template shell = /bin/sh
template homedir = /home/%U
name resolve order = lmhosts wins bcast host

path = /home/jason/Desktop/photo
read only = no
browseable = yes

I had a problem with SElinux that solved by enter below commands :

setenforce 0

chcon -t samba_share_t -R /path/to/share
setenforce 1

The problem solved but I can't change or add permission to directory via Windows as "Setup share permissions" section.I use "jason" account that is exist in administrator group but Jason can't too.

How can I solve it? 

More information about the samba mailing list