[Samba] Adding Share Windows ACL

Rowland Penny rpenny at samba.org
Fri Jan 26 09:35:07 UTC 2018

On Fri, 26 Jan 2018 10:10:24 +0100
Micha Ballmann via samba <samba at lists.samba.org> wrote:

> Hello,
> im trying to setup a share using windows acls. I followed the step
> ins
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> but hanging at "Adding a Share"
> # mkdir -p /srv/samba/Demo/
> # chown root:"Domain Admins" /srv/samba/Demo/
> *--> chown: ungültige Gruppe: »root:Domain Admins“*
> # net rpc rights list privileges SeDiskOperatorPrivilege -U
> "SAMDOM\administrator" SeDiskOperatorPrivilege:
>    ROOTRUDI\Domain Admins
>    BUILTIN\Administrators
> Do i need enable the UNIX Attribute for this group? I cant find any
> advice.
> Best regards
> Micha

There are two schools of thought here, yes AND no :-)

Yes, Domain Admins needs to be a Unix group.
No, because if Domain Admins is a Unix group, it cannot own GPOs in
sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user.

You either need to use the 'rid' backend on Unix domain members and do
not give Domain Admins a gidNumber attribute, or create another group
(I use 'Unix Admins'), give this group a gidNumber attribute and make
the new group a member of the Domain Admins group, use this group
instead of Domain Admins.


More information about the samba mailing list