[Samba] Retaining Permissions on a share

[Neil]

Hi Rowland,

Thank you for the reply and info.

On Tue, Jun 13, 2017 at 11:19 AM, Rowland Penny <rpenny at samba.org> wrote:

> On Tue, 13 Jun 2017 09:15:40 +0200
> Neil via samba <samba at lists.samba.org> wrote:
>
>
> OK, this a DC and therefore you will have to do things differently from
> a Unix domain member.
>
> You might as well remove these lines from [global]
>
>     winbind use default domain = yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> The first doesn't work on a DC and the others are built into the
> 'samba' deamon and so could be causing problems.
>
> You should also make the [HR] share look like this:
>
> [HR]
>         path = /var/lib/samba/data/data/HR
>         read only = No
>
> Now go and read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> You must use Windows ACLs on a DC.
>

Thanks I've cleaned up the smb.conf (and HR share) and had a full read
again, but I'm still not sure how this will prevent users from becoming
owner (shows using getfacl as the extended attributes) the files if they
save it or if they create a directory.

>From what I've seen the only difference I've done, is because I set the
permissions to 777 on the initially I didn't have to set the
SeDiskOperatorPrivilege
although I was using the user who already had this permission.

One other thing is that the current HR share is 100GB's + and changing
permissions from the Windows side takes hours, is there a quicker way to
set both the sharing permissions and the Security permissions for group
HR-group using setfacl? I've tried setting it using setfacl but couldn't
seem to get this right.

Apologies if I've misunderstood or if I'm missing something.

Thank you!

Regards.

Neil Wilson







> Rowland
>