[Samba] Dir ACL through windows and chmod

Rowland Penny rpenny at samba.org
Wed Apr 12 09:13:01 UTC 2017

On Wed, 12 Apr 2017 11:26:15 +0300
Dmitry via samba <samba at lists.samba.org> wrote:

> In need folders have to be seen (and accessed) only by appropriate 
> domain groups. For example, there are domain groups g01, g02, g03,
> etc, users in these groups have to see only "their" folders: u01 - 
> \\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03
> This is done by "Hide unreadable = yes" in smb.conf, by granting
> access (using "Security" tab in windows' folder rights) for concrete
> group to concrete directory and then chmod'ing this folder to 0770.
> But, if then I again modify ACLs through "Security" (for example -
> adding another group access to folder) samba sets 0777 to this folder
> and it becomes "visible" to all others. And I have again set 0770 on
> Samba server. This seems to work, but:
> - not good to windows admins, which only has to know about "Security" 
> tab in folder rights;
> - mixing ACLs with unix rights makes a mess and seems not right way
> to solve task.
> What is the "right way" to do such task?

You could investigate using 'access based share enum = yes'

and setting the permissions from Windows, see here:


You will also need to remove these lines:

     valid users = @"Domain Users" @"Domain Admins" @all
     admin users = admin @it
#    inherit acls = yes
     force create mode = 0777
     directory mask = 0770
     hide unreadable = yes


More information about the samba mailing list