[Samba] Cannot change NTACL for share from Windows

Rowland penny rpenny at samba.org
Sun May 31 16:02:44 UTC 2020

On 31/05/2020 16:37, Viktor Trojanovic via samba wrote:
> I just joined a freshly installed Linux machine with Samba 4.11.6 to my
> Windows AD, as a domain member. Followed the Wiki to a T, domain join
> without errors, I can enumerate users/groups, I can create shares and work
> with them from Windows (all that matters to me).
> Unfortunately, however, I don't seem to be able to change share security
> settings, i.e. ACL from Windows. Whenever I do so, I get the error message
> that "access is denied". Creating folders within the share and changing
> ACLs for these works without issues, it's just the root folder of the share
> I have problems with.
> I chose to go with the ad IDMAP backend. Of course, all recommendations are
> followed:
> - Administrator and Domain Admins have no uidNumber/gidNumer set, all
> others do. Though that shouldn't be relevant at this point since I'm only
> accessing the shares from Windows.
> - Administrator is mapped to root in user.map
> - SeDiskOperatorPrivilege was given to new group "Unix Admins" which owns
> the shares, together with root. Which still shouldn't matter here because
> up to now everything was done using the Administrator account, mapped to
> root.
> - All shares are chmodded to 0770
> - Share definitions in smb.conf are just 3 lines, as recommended in the
> Wiki: share name, folder location, read only = no
OK, lets start with the obvious, you have:

workgroup = SAMDOMAIN


idmap config hq:backend = ad

Is 'SAMDOMAIN' actually 'HQ' ?

Do all your users have a uidNumber attribute containing a number inside 
10000-999999 ?

Does Domain Users have a gidNumber attribute containing a number inside 
10000-999999 ?

Is Apparmor (or Selinux) running and denying access ?


More information about the samba mailing list