[Samba] Still can't figure out ACL issues

Andrey Repin anrdaemon at yandex.ru
Tue Nov 24 15:34:41 UTC 2015

Greetings, jimc!

> Thank you for your reply.

> If you happen to read the post of 11/22, you will notice that it was not 
> me who spoke ill of Samba.

> I put my bets on other people being able to figure it out; I hope that 
> one of them will help me.

Try this:
1. Make sure your domain groups and users are recognized on the member server.
At the very least,

  $ getent passwd $USER
  $ getent group "domain admins"
  $ getent group "domain users"

should yield sensible results.

2. Create a new directory on the host.

  # mkdir directory
  # chown root:root directory
  # chmod u=rwx,g=rwx,o= directory

3. Set initial ACL's.

  # setfacl -m g:'domain admins':rwx directory

4. Make sure the ACL is effective.

  # getfacl directory
  # file: directory/
  # owner: root
  # group: root

5. Add your share to the Samba.

  In the smb.conf, add section:

        path = directory
        browseable = Yes
        read only = No

6. Save file and reload Samba configuration.

  # smbcontrol all reload-config

7. From Windows station, open compmgmt.msc and tell it to connect to your
member server.

8. Navigate to the list of shared objects, open your newly created share
properties and change share(!) permisisons. Delete "Everyone", add
"Authenticated users" and set permission to "read".

9. Fire up the Windows command prompt and incite the desired permissions on
the share.

  > "%SystemRoot%\System32\icacls.exe" "\\server\sharename" /remove Everyone /inheritance:r /grant:r "<domain>\Domain Admins":(OI)(CI)(F) /grant:r "<domain>\Domain Users":(OI)(CI)(M) /grant:r "Authenticated users":(OI)(CI)(RX) /grant:r "CREATOR-OWNER":(OI)(CI)(IO)(M) /grant:r "CREATOR-GROUP":(OI)(CI)(IO)(M)

Please report back if this worked for you or not.

With best regards,
Andrey Repin
Tuesday, November 24, 2015 18:04:11

Sorry for my terrible english...

More information about the samba mailing list