[Samba] Setting up a Share Using Windows ACLs

Rowland Penny rpenny at samba.org
Sun Apr 23 15:44:34 UTC 2017 

On Sun, 23 Apr 2017 20:53:39 +1000
Henry via samba <samba at lists.samba.org> wrote:

> root at aphrodite:~# getfacl -d /srv/samba/data/Testing
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/data/Testing
> # owner: root
> # group: domain\040admins
> 
> However in Windows I am still unable to edit the "Security"
> permissions tab.
> "You do not have permission to view or edit this object's permission 
> settings"
> 
> I am really at a loss here as I am unable to get a Samba share
> working with Windows ACLs. Surely it cannot be this complex so what
> am I missing. All I want is a Samba share that I can control the
> permissions using Windows...
> 

OK, sorry to be so long, but it turned out that I had a problem myself
and I had to fix it (amongst other things)

Right, if I run this:

ls -lad /srv/samba/Demo/

I get this:

drwxrwx---+ 3 root unix admins 4096 Apr 11 11:49 /srv/samba/Demo/

Note: I use 'Unix Admins' instead of 'Domain Admins', but it amounts to
the same thing.

getfacl gives this:

getfacl /srv/samba/Demo/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/Demo/
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::---

and on windows:

Share permissions:

Everyone Full control
unix admins Full control
domain users Full control

Security:

root Full control
unix admins Full control
domain users Modify, Read & execute, List folder contents, Read, Write

One thing it doesn't say on the wiki page, when you grant the
SeDiskOperatorPrivilege, you have to do it on the machine that holds
the share.

So, make sure that Domain Admins, on the machine that holds the share,
has the SeDiskOperatorPrivilege. set the Unix permissions as I
suggested and then try again from 'Computer Management' on a domain
joined windows machine.

Make sure that you log in as a user that is a member of Domain Admins.

can you also test that the underlying OS knows Domain Admins with:

getent group Domain\ Admins

If you do not get any output, then this is part of your problem.

Rowland

More information about the samba mailing list