[Samba] Setting up a Share Using Windows ACLs

Henry henry at incred.com.au
Sun Apr 23 22:59:54 UTC 2017

On 2017-04-24 01:44, Rowland Penny wrote:
> On Sun, 23 Apr 2017 20:53:39 +1000
> Henry via samba <samba at lists.samba.org> wrote:
>> root at aphrodite:~# getfacl -d /srv/samba/data/Testing
>> getfacl: Removing leading '/' from absolute path names
>> # file: srv/samba/data/Testing
>> # owner: root
>> # group: domain\040admins
>> However in Windows I am still unable to edit the "Security"
>> permissions tab.
>> "You do not have permission to view or edit this object's permission
>> settings"
>> I am really at a loss here as I am unable to get a Samba share
>> working with Windows ACLs. Surely it cannot be this complex so what
>> am I missing. All I want is a Samba share that I can control the
>> permissions using Windows...
> OK, sorry to be so long, but it turned out that I had a problem myself
> and I had to fix it (amongst other things)
> Right, if I run this:
> ls -lad /srv/samba/Demo/
> I get this:
> drwxrwx---+ 3 root unix admins 4096 Apr 11 11:49 /srv/samba/Demo/
> Note: I use 'Unix Admins' instead of 'Domain Admins', but it amounts to
> the same thing.
> getfacl gives this:
> getfacl /srv/samba/Demo/
> getfacl: Removing leading '/' from absolute path names
> # file: srv/samba/Demo/
> # owner: root
> # group: unix\040admins
> user::rwx
> user:root:rwx
> group::rwx
> group:domain\040users:rwx
> group:unix\040admins:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:domain\040users:rwx
> default:group:unix\040admins:rwx
> default:mask::rwx
> default:other::---
> and on windows:
> Share permissions:
> Everyone Full control
> unix admins Full control
> domain users Full control
> Security:
> root Full control
> unix admins Full control
> domain users Modify, Read & execute, List folder contents, Read, Write
> One thing it doesn't say on the wiki page, when you grant the
> SeDiskOperatorPrivilege, you have to do it on the machine that holds
> the share.
> So, make sure that Domain Admins, on the machine that holds the share,
> has the SeDiskOperatorPrivilege. set the Unix permissions as I
> suggested and then try again from 'Computer Management' on a domain
> joined windows machine.
> Make sure that you log in as a user that is a member of Domain Admins.
> can you also test that the underlying OS knows Domain Admins with:
> getent group Domain\ Admins
> If you do not get any output, then this is part of your problem.
> Rowland

hi Rowland... one step forwards thank you.

I think I found my mistake. In Windows I was using a domain admins 
account other than administrator however only administrator has the 
SeDiskOperatorPrivilege. When I login to Windows as administrator it 
works. Now with my "testing" share I can do everything I need to ! I 
have now created a new share following this procedure and it works too 

I have two existing shares that do not display the "Security" tab in 
Windows and I have double & triple checked everything in Samba.
Does Windows/Samba cache the security settings or can I reset the 
security settings for these two shares and start again from scratch?


More information about the samba mailing list