[Samba] Samba shares with Windows ACL's

Peter Pollock peter.pollock at kingschristian.org
Wed Nov 4 18:13:23 UTC 2020

I'm having trouble with my new fileserver, I can't make the shares viewable
by windows clients.

I had the same problems with the first file server I built and cannot
remember what I did to "fix" it.

I have gone through the page "Setting up a share using Windows ACL's" on
the Samba Wiki (
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) but
when I get to the step where I am actually setting the ACL's, when I click
OK, it tries to apply the ACL's to all the files in the folder and comes
back saying that it has failed to enumerate the files and access is denied.

Since there are already files in the share, I used chown -R and chmod -R to
apply the owner/group and file permissions to all files, but that didn't

I have also tried it with both root as the owner and "domain admins".

Since these files are not sensitive, I even tried setting the permissions
to 777.

I have rebooted also.

The user I am logged in to my Windows machine with is a member of the
domain admins group.

Here's my smb.conf

  workgroup = INTERNAL
  security = ADS
  realm = INTERNAL.KCS

  winbind use default domain = yes
  winbind expand groups = 2
  winbind refresh tickets = Yes
  disable netbios = yes
  dns proxy = no

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config INTERNAL : backend  = rid
  idmap config INTERNAL : range = 10000-999999

  template shell = /bin/bash
  template homedir = /home/users/%U

  # user Administrator workaround, without it you are unable to set
  username map = /etc/samba/user.map

  vfs objects = acl_xattr
  map acl inherit = Yes

  # Comment the following 4 lines to act as a print server
#  printcap name = /dev/null
 # load printers = no
 # disable spoolss = yes
 # printing = bsd

  path = /hdd/shares
  read only = no

  path = /home/users/%U
  read only = no

  path = /hdd/roaming
  read only = no

  path = /hdd/archive
  read only = no

and here's the getfacl of the folder in question:

itadmin at john:~$ getfacl /hdd/roaming
getfacl: Removing leading '/' from absolute path names
# file: hdd/roaming
# owner: domain\040admins
# group: domain\040admins

More information about the samba mailing list