[Samba] Still can't figure out ACL issues
anrdaemon at yandex.ru
Tue Nov 24 15:34:41 UTC 2015
> Thank you for your reply.
> If you happen to read the post of 11/22, you will notice that it was not
> me who spoke ill of Samba.
> I put my bets on other people being able to figure it out; I hope that
> one of them will help me.
1. Make sure your domain groups and users are recognized on the member server.
At the very least,
$ getent passwd $USER
$ getent group "domain admins"
$ getent group "domain users"
should yield sensible results.
2. Create a new directory on the host.
# mkdir directory
# chown root:root directory
# chmod u=rwx,g=rwx,o= directory
3. Set initial ACL's.
# setfacl -m g:'domain admins':rwx directory
4. Make sure the ACL is effective.
# getfacl directory
# file: directory/
# owner: root
# group: root
5. Add your share to the Samba.
In the smb.conf, add section:
path = directory
browseable = Yes
read only = No
6. Save file and reload Samba configuration.
# smbcontrol all reload-config
7. From Windows station, open compmgmt.msc and tell it to connect to your
8. Navigate to the list of shared objects, open your newly created share
properties and change share(!) permisisons. Delete "Everyone", add
"Authenticated users" and set permission to "read".
9. Fire up the Windows command prompt and incite the desired permissions on
> "%SystemRoot%\System32\icacls.exe" "\\server\sharename" /remove Everyone /inheritance:r /grant:r "<domain>\Domain Admins":(OI)(CI)(F) /grant:r "<domain>\Domain Users":(OI)(CI)(M) /grant:r "Authenticated users":(OI)(CI)(RX) /grant:r "CREATOR-OWNER":(OI)(CI)(IO)(M) /grant:r "CREATOR-GROUP":(OI)(CI)(IO)(M)
Please report back if this worked for you or not.
With best regards,
Tuesday, November 24, 2015 18:04:11
Sorry for my terrible english...
More information about the samba