[Samba] Samba shares with Windows ACL's

Peter Pollock peter.pollock at kingschristian.org
Wed Nov 4 20:01:40 UTC 2020

> OK, you are using the winbind 'rid' backend, so it is okay to use
> 'Domain Admins', so start again and follow that wikipage:
> Ensure you have the 'acl' & 'attr' packages installed (this is what they
> are called on Debian based distros)

They are installed. I built the server using the walk through you gave me.

> Ensure that 'Domain Admins' has the 'SeDiskOperatorPrivilege' privilege,
> this must be granted on the Unix domain member, or to put it another
> way, the command must be run on the Unix domain member that holds the
> share.

 itadmin at john:~$ net rpc rights list privileges SeDiskOperatorPrivilege -U
Enter INTERNAL\administrator's password:
  INTERNAL\Domain Admins

> Ensure the share directory belongs to 'root:Domain Admins' with 0770
> permissions

itadmin at john:~$ ls -l /hdd
drwxrwx---+ 192 root   domain admins 12288 Sep  4 12:02 roaming

> Now go to a Windows PC, log in as Administrator or as a member of the
> 'Domain Admins' group.

Logged in as peterpollock

itadmin at john:~$ getent group "domain admins"

> Follow 'Setting Share Permissions and ACLs'

Followed the instructions again. Got through to the second to last line,
clicked OK to close the permissions window and a "Windows Security Setting
security information on:" window popped up and immediately an error window
popped up telling me that it could not enumerate objects in the container
and access was denied.

> Do not run chmod against the share directory once the shares are set
> from Windows.
> If it still doesn't work, suspect something like Apparmor or Selinux.

I have uninstalled Apparmor because it has only ever caused me issues.
Selinux is installed but not activated.

I'm at a loss.

> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list