[Samba] ACL set in Windows not set in Samba

Viktor Trojanovic viktor at troja.ch
Sun May 13 20:25:12 UTC 2018

On 13 May 2018 at 21:17, Viktor Trojanovic <viktor at troja.ch> wrote:

> Hi Rowland,
> Thanks for replying again.
> On 13 May 2018 at 18:12, Rowland Penny via samba <samba at lists.samba.org>
> wrote:
>> On Sun, 13 May 2018 17:39:39 +0200
>> Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
>> [...]
>> >   username map = /etc/samba/samba_usermap
>> What is in the 'samba_usermap' ?
> !root = SAMDOM\Administrator SAMDOM\administrator
>> > [myshare]
>> >   path = /srv/samba/myshare
>> >   comment = "My Data"
>> >   guest ok = no
>> >   writeable = yes
>> >   create mask = 0666
>> >   directory mask = 0777
>> >   acl_xattr:ignore system acls = yes
>> As you are trying to use Windows ACLs, you should follow the info on
>> the page you linked and stop getting creative ;-)
> Trust me, I have no intention of getting creative. This is how I set up
> the share a year or two ago and haven't changed it in the meantime. It used
> to work. Now all of a sudden something doesn't.
>> Remove the 'guest ok' line, it is the default.
>> Remove the two 'mask' lines, the last line is actually telling Samba
>> to ignore them.
> Yes, I read that, but didn't hurry to remove them as they shouldn't hurt.
> Will do so now, though.
>> > Slightly off topic: Is my assumption correct that gidNumbers and
>> > uidNumbers do not need to be distinct between each other, i.e. can a
>> > user have the same number as uidNumber that a group has as gidNumber?
>> Yes, whilst every user must have a unique uidNumber and every group
>> must have a unique gidNumber, there is nothing stopping a user and a
>> group having the same number.
> That's what I thought, thanks.
> Not knowing what else to try, I'll just go ahead and restart everything
> and see if this has any impact.

Restarting everything didn't help.

Situation is as follows: I have the share "myshare" exactly as described in
smb.conf above. Within this share, from within Windows and as
SAMDOM\Administrator, I'm creating a new folder. This new folder by default
only has permissions for "Domain Admins". So, still using Windows, I'm
changing the ACL and include "Domain Users", for example. This group exists
and has a unique gidNumber.

$ getent group
domain users:x:10000:
domain admins:x:10001:

I save this setting and Windows shows me that the group "Domain Users" is
permitted on the folder.

Back to Linux, however, getfacl still shows only "Domain Admins".

$ getfacl /srv/samba/myshare/Test/
# file: Test/
# owner: root
# group: root

Side question: How is it even possible that Windows "remembers" the ACL it
sets but it's not visible on Linux when using getfacl?

Anyway, hope someone can give me a helpful hint as to what I'm doing wrong.


More information about the samba mailing list