[Samba] Windows ACLs

Peter Carlson peter at howudodat.com
Mon Oct 3 14:38:19 UTC 2022


I am trying to set up a samba file server with the following 2 
characteristics:
1) use RSAT tools to set ACLs
2) new folders / files need to have group write permissions
     ie: UserData = Domain Users
     ie: AdminData = Domain Admins
     ie: Accounting = Accounting

I think I'm about 90% of the way there after reading and following this 
guide: 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Problems: 1) failed to enumerate objects in the container: Access is 
denied.  (https://snipboard.io/K27jAc.jpg)
2) group permissions are always 750, I would like them to be 770

Setup:
Windows Network with about a dozen workstations (Surface Pros) running 
Windows 11
Active Directory running on Synology DSM
Proxmox Hypervisor
     Guest: mariadb
     Guest: LAMP for middleware
     Guest: LAMP for public facing web server
     Guest: 3CX debian
     Guest: File Server

File Server:
Samba Version 4.15.9
Ubuntu Server 22.04.1

root at filesvr:/data# net rpc rights list privileges 
SeDiskOperatorPrivilege -U "SDCP\administrator"
Password for [SDCP\administrator]:
SeDiskOperatorPrivilege:
   SDCP\linux admins
   BUILTIN\Administrators

[global]
security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

[Test]
     path = /data/test
     comment = test
     writable = yes
     guest ok = no
     inherit permissions    = yes
     inherit acls           = yes
     vfs objects = acl_xattr
     acl_xattr:ignore system acls = yes
     valid users = "@SDCP\Domain Users"

root at filesvr:/data# ls -l
drwxrwxrwt  3 root SDCP\linux admins    4096 Oct  2 15:07 test

root at filesvr:/data# ls -l test/
drwxr-xr-t 2 SDCP\office     SDCP\domain users  4096 Oct  2 15:08 officefld
-rwxr--r-- 1 SDCP\peter      SDCP\domain admins   17 Sep 30 23:59 
Windows.txt

root at filesvr:/data# ls -l test/officefld/
-rw-r--r-- 1 SDCP\office SDCP\domain users 4 Oct  2 15:08 test.txt




More information about the samba mailing list