[Samba] Setting up ACL definitions in smb.conf for maximum Windows server compatibility

Rowland Penny rpenny at samba.org
Sat Jan 14 15:39:38 UTC 2023

On 14/01/2023 14:45, Peter Milesson via samba wrote:
> Hi folks,
> Presently I have got an ageing Samba member server (4.10.16) under 
> CentOS 7.9, so, I'm setting up a new Samba member server to replace the 
> old server. I have made an initial installation with Debian Bookworm, as 
> I want to keep at least Samba fairly up to date.

You are now ahead on the OS (bookworm hasn't been released yet).
> It's a small Samba based domain (Louis' packages 4.15.7)

And behind with Samba, the latest is 4.17.4
I also cannot recommend using Louis's repo, it hasn't been updated for 
quite sometime and it might never be updated again.
I suggest that you use Debian Bullseye and Samba from backports, this 
will get you Samba 4.17.4

  with about 15
> users and a few Windows based production machine controllers. There are 
> several groups, where almost everybody has got a specific mix of access 
> permissions to different shares. Mostly, a specific group has got full 
> permissions on a share, and I want to keep inheritance through Windows 
> ACLs, unless otherwise set up for specific folders inside that share. 
> Except for data shares, there are user profiles (using folder 
> redirection) stored on the old server and they are also going to be 
> migrated to the new box. The domain is mostly managed with Microsoft's 
> RSAT tools (users/machines/shares/GPOs). There are no Linux users and 
> will never be, except administrative user accounts for common Linux 
> administration tasks.

You are a bit wrong there, because you are using the 'rid' idmap 
backend, all your AD users will be Linux users.

> I want the shares in the new server to have maximum possible Windows 
> server compatibility to minimize quirks and non standard behavior. So I 
> kindly ask the list for comments on my configuration.

As you have only Windows clients, I suggest you set the permissions from 
Windows, see here:


and here:


Because of the above, I would remove a few lines from your smb.conf:

    acl group control = yes
    inherit owner = windows and linux
    inherit acls = yes

When creating your shares, only add the lines shown in the links above.

More information about the samba mailing list