[Samba] Windows ACLs

Peter Carlson peter at howudodat.com
Mon Oct 3 19:17:10 UTC 2022

On 10/3/22 11:11, Rowland Penny via samba wrote:
> Remember what I said about 'acl_xattr:ignore system acls = yes', well 
> I think this could be the problem, a bit of a chicken and egg problem. 
> Until you set the permissions from Windows, it is likely that there 
> are no Windows permissions and because you have set the above line, 
> you cannot get permission to set them. So try removing the 
> 'acl_xattr:ignore system acls = yes' line and try again.
> Rowland
This did the trick to get permissions set on the share. It is set for 
Domain Admins and Domain Users as Full Control.   I can now connect to 
the server as a domain admin and domain user and create a folder and 
text file in each folder.  So that's awesome.  Couple of things I noted 
which are still outstanding:

1.  new folders are created with Read only set, whether created by 
member of domain admin or domain user.  I would normally use directory 
mask and create mask to control this, but since this is all now 
controlled with windows ACLs, I'm not sure how to set a default mask (or 
the default group for that matter, peter is a member of Linux Admins, 
Domain Admins and Domain Users)

2.  after removing read only and setting Domain Users to Full Control

     a) peter (domain admin) creates a text file and writes to it.  
office (domain user) can open that file and write to it. Perfect!

     b) peter (domain admin) has read access to the folder and file 
created by the domain user.  but I should have full access, in fact when 
evaluating access in windows, it says full access ( 
https://snipboard.io/rqk7C0.jpg )

More information about the samba mailing list