[Samba] Adding Share Windows ACL

Rowland Penny rpenny at samba.org
Sun Jan 28 11:00:07 UTC 2018 

On Sun, 28 Jan 2018 10:52:47 +0100
Micha Ballmann via samba <samba at lists.samba.org> wrote:

> Im sorry last mail was not complete.
> 
> ...
> -> Login to Windows with administrator and connect to FILESERVER via 
> "Computer Management" -> Chosing Demo Share and going to security Tab
> ->
> 
> Cant set any ACL because, permission denied!
> 

This is strange, It didn't work for me because the Unix permissions
were not set correctly, once I sorted those, it did work.

I tried it again, added a share to smb.conf on a Unix domain member:

[tmpshare]
    path = /srv/tmpshare
    read only = no

create the required directory:

mkdir /srv/tmpshare

check ownership & permissions:

ls -lad /srv/tmpshare
drwxr-xr-x 2 root root 4096 Jan 28 10:17 /srv/tmpshare

Now go to Win7, login as Administrator and do this:

Computer Management -> Action -> Connect to another computer ... -> Browse to computer

System tools -> ignore error -> Shared folders -> Shares 

Select 'tmpshare' -> right-click -> select 'Properties'

Check what permissions are set:

Share Permissions -> Everyone -> Full control

Security -> Everyone -> Read & execute, List folder contents, Read
root user -> special permissions -> Full control
root group -> special permissions -> Traverse folder / execute file,
              List folder / read data, Read attributes, Read extended
              attributes, Read permissions
CREATOR OWNER -> special permissions ->  Full control
CREATOR GROUP -> special permissions -> Traverse folder / execute file,
                 List folder / read data, Read attributes, Read extended
                 attributes, Read permissions

I Now tried to add a user to 'Security', which seemed to work.

Back to the Unix domain member and check the permissions on the
directory:

ls -lad /srv/tmpshare
drwxrwxr-x+ 2 root root 4096 Jan 28 10:17 /srv/tmpshare
          ^ Notice the addition of the '+' sign, also the group now has
          'write' on the directory.

Check permissions with 'getfacl'

getfacl /srv/tmpshare
getfacl: Removing leading '/' from absolute path names
# file: srv/tmpshare
# owner: root
# group: root
user::rwx
user:root:rwx
user:rowland:r-x
group::r-x
group:root:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:rowland:r-x
default:group::r-x
default:group:root:r-x
default:mask::rwx
default:other::r-x

It worked, the user 'rowland' now has read & execute permissions.

If it isn't working for you, then there is obviously something wrong
with your setup.
Is Selinux or Apparmor running, if so turn it off and try again, if it
now works, investigate using Samba with it.

If they aren't, please post these files:
/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
/etc/samba/smb.conf

Rowland

More information about the samba mailing list