[Samba] POSIX ACLs on Domain Controller.

Prunk Dump prunkdump at gmail.com
Tue Nov 3 15:00:58 UTC 2015

Hello samba team !

On my network, I mainly manage my AD users and computers from Unix
using shell scripts. So I would like to set the shares' ACLs directly
from the DC with the POSIX setfacl command.

When exporting with NFSv4, the POSIX ACLs are conserved. I can set the
permissions the same manner as for my local users.

But on DC, the "rwx" right is mapped to "full control" so my users can
delete some directories even if they are not the owner. And It seems
that the samba option "acl map full control = false" does not works on

It this a way to make a SMB share POSIX conservative on DC ? Maybe I
need to set some "xattrs" ?

Detailled description :
I have a base folder with the following right :

owner : root (rwx)
group : basegroup (r-x)
ACL: -> group : supgroup (r-x)

Containing a directory :

owner : root (rwx)
group : basegroup (r-x)
ACL: -> group : supgroup (rwx)

So the user in "basegroup" can access the tree and "supgroup" can
write inside the dirA folder.

But from windows with SMB, the basegroup can delete the dirA directory
and I don't what that !

Can someone help me ?


More information about the samba mailing list