[Samba] Standalone with Windows ACL
Tercio Gaudencio Filho
terciofilho at gmail.com
Fri Oct 6 15:31:30 UTC 2017
I'm sorry for the delay, I got pretty busy down here.
First things first, it's working now, thanks!
I'll leave it here in case anyone is trying to do the same thing.
apt-get install samba smbclient samba-vfs-modules acl attr
# Global parameters
workgroup = WORKGROUP
security = USER
server role = standalone server
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
usershare path =
# Disable Printing
disable spoolss = Yes
load printers = No
printcap name = /dev/null
printing = bsd
map to guest = Bad User
obey pam restrictions = Yes
dns proxy = No
passdb backend = tdbsam
# Enable Win ACLs
store dos attributes = Yes
map acl inherit = Yes
vfs objects = acl_xattr
path = /srv/samba/myshare
read only = No
I have to add "SeDiskOperatorPrivilege" right to the user that want to
manage permissions using Windows:
net rpc rights grant "UNIX_USERNAME" SeDiskOperatorPrivilege -U "root"
On Thu, Oct 5, 2017 at 4:11 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 04 Oct 2017 22:08:29 +0000
> Tercio Gaudencio Filho via samba <samba at lists.samba.org> wrote:
> > I'm configuring a standalone server(server role = standalone server)
> > using POSIX ACLs to manage permissions on server.
> > I need to manage permissions(At least basic ones, like read, write)
> > from Windows GUI.
> Ah, so you don't want to use POSIX ACLs, you want to use Windows ACLs
> > Is that possible using standalone?
> > When I try setting permissions on Windows I got this on the log:
> > [2017/10/04 19:07:08.437837, 2]
> > ../source3/smbd/posix_acls.c:3006(set_canon_ace_list)
> > set_canon_ace_list: sys_acl_set_file type file failed for file
> > AD225.TXT (Operation not permitted).
> > I issued grant on server(tercio is my username):
> > net rpc rights grant "tercio" SeDiskOperatorPrivilege -U "root"
> > My conf:
> > # Global parameters
> > [global]
> > workgroup = SER-CAPITAL
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > panic action = /usr/share/samba/panic-action %d
> > usershare path =
> > map to guest = Bad User
> > obey pam restrictions = Yes
> > server role = standalone server
> > dns proxy = No
> > idmap config * : backend = tdb
> > [MyShare]
> > path = /srv/samba/MyShare
> > read only = No
> You don't say what OS you are using, but on debian, you need to install
> the acl & attr packages.
> You need to be using a filesystem that understands ACLs, such as ext4
> You also need to add these lines to smb.conf:
> security = user
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> There is also a Samba wiki page about this:
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Tercio Gaudencio Filho
More information about the samba