[Samba] Setting up a Share Using Windows ACLs

Henry henry at incred.com.au
Sun Apr 23 07:19:22 UTC 2017



On 2017-04-23 17:01, Rowland Penny wrote:
> On Sun, 23 Apr 2017 14:07:44 +1000
> Henry via samba <samba at lists.samba.org> wrote:
> 
>> Following:
>> 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> 
>> In windows:
>> 
>> I can set permissions under the "Share Permissions" tab.
>> 
>> I am unable to make ANY changes under the "Security". When I try I am
>> presented with:
>> 
>> "Remotely setting permissions on the folder at the root of a share
>> removes all inherited permissions from the root folder and all
>> subfolders.  To set permissions without removing the inherited
>> permissions, click No and either change the permissions on a child
>> folder or make the change while logged in locally"
>> 
>> Under "Share Permissions" I have:
>> 
>> Domain Admins = Full Control
>> 
>> Domain Users = Read & Change
>> 
>> As it stands I am unable to access the share (using a Domain Admins
>> account) however I am unable to do anything.
> 
> As it stands, when you create the share as shown on the wiki page:
> 
> # mkdir -p /srv/samba/Demo/
> 
> It ends up belonging to root:root with drwxr-xr-x permissions
> 
> Or to put it it another way the 'root' user has full permissions on
> the directory, members of the 'root' group have read and enter
> permissions, the same goes for any other users or groups. This all
> means that members of the Domain Admins group cannot write to the
> directory.
> 
> Try this:
> 
> chown root:Domain\ Admins /srv/samba/Demo/
> chmod 0770 /srv/samba/Demo/
> 
> Now try to set the permissions from windows.
> 
> If this works and I am sure it will, I will update the wiki page.
> 
> Rowland

Thanks Rowland I was wondering about this not being in the guide but 
thought best to follow it word for word. I have made the changes 
suggested:

root at aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

root at aphrodite:~# chown root:Domain\ Admins /srv/samba/data/Testing/
root at aphrodite:~# chmod 0770 /srv/samba/data/Testing/

root at aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins
user::rwx
group::rwx
other::---

After this I was able to access the security tab and add "Domain Admins" 
as per the guide without any errors however after that I am locked out 
again. Looking at the unix permissions I see they have now changed to 
the following and now I can't remove "Domain Admins" to get it back to 
where I was before.

root at aphrodite:~# getfacl /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins
user::rwx
user:root:rwx
group::---
group:domain\040admins:---
mask::rwx
other::---




More information about the samba mailing list