[Samba] Setting up a Share Using Windows ACLs

Henry henry at incred.com.au
Sun Apr 23 10:53:39 UTC 2017


On 2017-04-23 17:19, Henry via samba wrote:
> On 2017-04-23 17:01, Rowland Penny wrote:
>> On Sun, 23 Apr 2017 14:07:44 +1000
>> Henry via samba <samba at lists.samba.org> wrote:
>> 
>>> Following:
>>> 
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>> 
>>> In windows:
>>> 
>>> I can set permissions under the "Share Permissions" tab.
>>> 
>>> I am unable to make ANY changes under the "Security". When I try I am
>>> presented with:
>>> 
>>> "Remotely setting permissions on the folder at the root of a share
>>> removes all inherited permissions from the root folder and all
>>> subfolders.  To set permissions without removing the inherited
>>> permissions, click No and either change the permissions on a child
>>> folder or make the change while logged in locally"
>>> 
>>> Under "Share Permissions" I have:
>>> 
>>> Domain Admins = Full Control
>>> 
>>> Domain Users = Read & Change
>>> 
>>> As it stands I am unable to access the share (using a Domain Admins
>>> account) however I am unable to do anything.
>> 
>> As it stands, when you create the share as shown on the wiki page:
>> 
>> # mkdir -p /srv/samba/Demo/
>> 
>> It ends up belonging to root:root with drwxr-xr-x permissions
>> 
>> Or to put it it another way the 'root' user has full permissions on
>> the directory, members of the 'root' group have read and enter
>> permissions, the same goes for any other users or groups. This all
>> means that members of the Domain Admins group cannot write to the
>> directory.
>> 
>> Try this:
>> 
>> chown root:Domain\ Admins /srv/samba/Demo/
>> chmod 0770 /srv/samba/Demo/
>> 
>> Now try to set the permissions from windows.
>> 
>> If this works and I am sure it will, I will update the wiki page.
>> 
>> Rowland
> 
> Thanks Rowland I was wondering about this not being in the guide but
> thought best to follow it word for word. I have made the changes
> suggested:
> 
> root at aphrodite:~# getfacl /srv/samba/data/Testing
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data/Testing
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
> 
> root at aphrodite:~# chown root:Domain\ Admins /srv/samba/data/Testing/
> root at aphrodite:~# chmod 0770 /srv/samba/data/Testing/
> 
> root at aphrodite:~# getfacl /srv/samba/data/Testing
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data/Testing
> # owner: root
> # group: domain\040admins
> user::rwx
> group::rwx
> other::---
> 
> After this I was able to access the security tab and add "Domain
> Admins" as per the guide without any errors however after that I am
> locked out again. Looking at the unix permissions I see they have now
> changed to the following and now I can't remove "Domain Admins" to get
> it back to where I was before.
> 
> root at aphrodite:~# getfacl /srv/samba/data/Testing
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data/Testing
> # owner: root
> # group: domain\040admins
> user::rwx
> user:root:rwx
> group::---
> group:domain\040admins:---
> mask::rwx
> other::---

OK, have now reset the ACLs back to where they were:
https://serverfault.com/questions/285597/setfacl-to-reset-file-to-default-permissions

root at aphrodite:~# getfacl -d /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins

However in Windows I am still unable to edit the "Security" permissions 
tab.
"You do not have permission to view or edit this object's permission 
settings"

I am really at a loss here as I am unable to get a Samba share working 
with Windows ACLs. Surely it cannot be this complex so what am I 
missing. All I want is a Samba share that I can control the permissions 
using Windows...



More information about the samba mailing list