[Samba] Windows ACL clarification for Roaming Profiles share

Lenard Fudala lfudala at themxgroup.com
Wed Feb 15 22:47:37 UTC 2017

The following wiki pages have varying suggestions on what to use for
Windows ACLs on a Samba share.


The different suggestions on the referenced wiki pages, without explanation
of the choices, causes a lot of confusion. Most importantly, they reference
each other without clarifying exactly what parts to use from the other

The goal here is Roaming Profiles and Folder Redirection, each with its own
share. Samba 4.3.11 on Ubuntu 16.04.2 with Windows 7 clients for now,
Windows 10 eventually.

What I've managed to come up with for share permissions:

Authenticated Users
 - Read
 - Change (can't create directory without)

Domain Admins
 - Full control

For the ACLs on the root folder of the share:

CREATOR OWNER - Subfolders and files only
 - Full Control

Domain Admins - This folder, subfolders, and files
 - Full Control

Authenticated Users - This folder only
 - Traverse folder/execute file, List folder/read data, Create
folder/append data

The majority of the guides outside of the wiki suggest Windows wants to see
SYSTEM in the ACL list with Full Control. So far, in isolated testing, my
permissions work fine. Is there any need for this extra ACL that may not be
obvious currently?

More information about the samba mailing list