[Samba] POSIX ACLs on Domain Controller.

Marc Muehlfeld mmuehlfeld at samba.org
Tue Nov 3 15:10:39 UTC 2015

Hello Baptiste,

Am 03.11.2015 um 16:00 schrieb Prunk Dump:
> On my network, I mainly manage my AD users and computers from Unix
> using shell scripts. So I would like to set the shares' ACLs directly
> from the DC with the POSIX setfacl command.
> When exporting with NFSv4, the POSIX ACLs are conserved. I can set the
> permissions the same manner as for my local users.
> But on DC, the "rwx" right is mapped to "full control" so my users can
> delete some directories even if they are not the owner. And It seems
> that the samba option "acl map full control = false" does not works on
> DC.
> It this a way to make a SMB share POSIX conservative on DC ? Maybe I
> need to set some "xattrs" ?

DCs have hard-coded globally enabled stuff that is required for shares
with Windows ACLs
(https://wiki.samba.org/index.php/Shares_with_Windows_ACLs). As far as I
know, you can't disable it for some shares. You might think about
setting up a domain member to provide shares with POSIX ACLs.


More information about the samba mailing list