[Samba] Windows ACLs

Peter Carlson peter at howudodat.com
Mon Oct 3 17:43:23 UTC 2022

PreScript: I am willing to purchase support if that is an option

> You should also be aware that synology uses its own version of Samba, 
> so something of theirs could be getting in the way, this is just a 
> possibility.

noted - just a point of clarification, the snyology is only serving AD, 
the file server is ubuntu

> I suggest you read the wiki page again and follow it to the letter.

ok, I spun up a new server for testing, should have done that 
before...that gives us a clean place to start.  So following the wiki 
step by step (error appears in step 7 and a snip of it is here: 
https://snipboard.io/3dlDyi.jpg ):

1) Preparing the Host - host is joined to the domain
     root at filesvr2:/data# getent passwd SDCP\\peter
     SDCP\peter:*:2001105:2000512::/home/peter at SDCP:/bin/bash

2) File System Support - all requirements met
     ext4 with the appropriate options
         root at filesvr2:/data# grep EXT4 /boot/config-`uname -r`
     acl, attr and xattr installed
         root at filesvr2:/data# apt search attr | grep -i installed
         attr/jammy,now 1:2.5.1-1build1 amd64 [installed,automatic]

         root at filesvr2:/data# apt search acl | grep -i installed
         acl/jammy,now 2.3.1-1 amd64 [installed]

         root at filesvr2:/data# apt search xattr | grep -i install
         xattr/jammy,now 0.9.7-1build4 amd64 [installed]

3) Samba has extended ACL support
     root at filesvr2:/data# smbd -b | grep HAVE_LIBACL

4) Enabled Extended ACL
     see smb.conf below

5) Granting the SeDiskOperatorPrivilege Privilege
     root at filesvr2:/data# net rpc rights list privileges 
SeDiskOperatorPrivilege -U "SDCP\administrator"
     Password for [SDCP\administrator]:
       SDCP\Linux Admins

6) Added the share and set ownership as shown
     root at filesvr2:/data# mkdir test
     root at filesvr2:/data# chown root:"SDCP\Linux Admins" test
     root at filesvr2:/data# chmod 0770 test
     root at filesvr2:/data# ls -l
     total 4
     drwxrwx--- 2 root SDCP\linux admins 4096 Oct  3 17:04 test

7) switch to windows and connect via computer management
     shares/Test has Share Permissions of Everyone = Full Control, 
Change, Read
_*Security Tab, Linux Admins has no permissions set at all.  I try to 
select them and get Access Denied*_
     getfacl shows rwx for user and group: root at filesvr2:/data# getfacl test
         # file: test
         # owner: root
         # group: SDCP\\linux\040admins

     root at filesvr2:/data# xattr -p security.NTACL test
     No such xattr: security.NTACL
     root at filesvr2:/data# xattr test

root at filesvr2:/data# cat /etc/samba/smb.conf
workgroup = SDCP
kerberos method = secrets and keytab
realm = SA*****NT.LOCAL
template shell = /bin/bash

security = ads
idmap config SDCP : range = 2000000-2999999
idmap config SDCP : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb
winbind refresh tickets = yes
winbind offline logon = yes
vfs objects = acl_xattr
map acl inherit = yes

     path = /data/test
     comment = test
     read only = no
     acl_xattr:ignore system acls = yes

More information about the samba mailing list