[Samba] Samba shares with Windows ACL's

Wed Nov 4 18:46:14 UTC 2020

On 04/11/2020 18:13, Peter Pollock via samba wrote:
> I'm having trouble with my new fileserver, I can't make the shares viewable
> by windows clients.
>
> I had the same problems with the first file server I built and cannot
> remember what I did to "fix" it.
>
> I have gone through the page "Setting up a share using Windows ACL's" on
> the Samba Wiki (
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) but
> when I get to the step where I am actually setting the ACL's, when I click
> OK, it tries to apply the ACL's to all the files in the folder and comes
> back saying that it has failed to enumerate the files and access is denied.
>
> Since there are already files in the share, I used chown -R and chmod -R to
> apply the owner/group and file permissions to all files, but that didn't
> help.
>
> I have also tried it with both root as the owner and "domain admins".
>
> Since these files are not sensitive, I even tried setting the permissions
> to 777.
>
> I have rebooted also.
>
> The user I am logged in to my Windows machine with is a member of the
> domain admins group.
>
> Here's my smb.conf
>
> [global]
>    workgroup = INTERNAL
>    security = ADS
>    realm = INTERNAL.KCS
>
>    winbind use default domain = yes
>    winbind expand groups = 2
>    winbind refresh tickets = Yes
>    disable netbios = yes
>    dns proxy = no
>
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
>    idmap config INTERNAL : backend  = rid
>    idmap config INTERNAL : range = 10000-999999
>
>    template shell = /bin/bash
>    template homedir = /home/users/%U
>
>    # user Administrator workaround, without it you are unable to set
> privileges
>    username map = /etc/samba/user.map
>
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>
>    # Comment the following 4 lines to act as a print server
> #  printcap name = /dev/null
>   # load printers = no
>   # disable spoolss = yes
>   # printing = bsd
>
> [data]
>    path = /hdd/shares
>    read only = no
>
> [home]
>    path = /home/users/%U
>    read only = no
>
> [old-profiles]
>    path = /hdd/roaming
>    read only = no
>
> [archive]
>    path = /hdd/archive
>    read only = no
>
>
>
> and here's the getfacl of the folder in question:
>
> itadmin at john:~$ getfacl /hdd/roaming
> getfacl: Removing leading '/' from absolute path names
> # file: hdd/roaming
> # owner: domain\040admins
> # group: domain\040admins
> user::rwx
> user:root:rwx
> group::rwx
> group:adm:rwx
> group:domain\040admins:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:root:rwx
> default:user:domain\040admins:rwx
> default:group::rwx
> default:group:adm:rwx
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---

OK, you are using the winbind 'rid' backend, so it is okay to use 
'Domain Admins', so start again and follow that wikipage:

Ensure you have the 'acl' & 'attr' packages installed (this is what they 
are called on Debian based distros)

Ensure that 'Domain Admins' has the 'SeDiskOperatorPrivilege' privilege, 
this must be granted on the Unix domain member, or to put it another 
way, the command must be run on the Unix domain member that holds the share.

Ensure the share directory belongs to 'root:Domain Admins' with 0770 
permissions

Now go to a Windows PC, log in as Administrator or as a member of the 
'Domain Admins' group.

Follow 'Setting Share Permissions and ACLs'

Do not run chmod against the share directory once the shares are set 
from Windows.

If it still doesn't work, suspect something like Apparmor or Selinux.

Rowland