[Samba] Windows ACLs

Rowland Penny rpenny at samba.org
Mon Oct 3 15:14:53 UTC 2022

On 03/10/2022 15:38, Peter Carlson via samba wrote:
> I am trying to set up a samba file server with the following 2 
> characteristics:
> 1) use RSAT tools to set ACLs

No you are not ;-)

> 2) new folders / files need to have group write permissions
>      ie: UserData = Domain Users
>      ie: AdminData = Domain Admins
>      ie: Accounting = Accounting
> I think I'm about 90% of the way there after reading and following this 
> guide: 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

I think you are about 90% away from setting up the permissions
Try this smb.conf:

security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind refresh tickets = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = yes

     path = /data/test
     comment = test
     read only = no
     acl_xattr:ignore system acls = yes

The last line in the share is interesting, it means what it it says, 
ignore the system (Linux) acls, you can set these to what you like and 
Samba WILL ignore them.

I suggest you read the wiki page again and follow it to the letter. you 
may also need to install the 'acl' and 'attr' packages.

You should also be aware that synology uses its own version of Samba, so 
something of theirs could be getting in the way, this is just a possibility.

More information about the samba mailing list