[Samba] windows acls

Rowland Penny rpenny at samba.org
Tue Mar 28 14:36:27 UTC 2023 


On 28/03/2023 15:08, Peter Carlson via samba wrote:
> 
> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>
>>
>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>> I am having troubles with windows ACLs.  I have been following the 
>>> wiki 
>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) and must have messed something up.
>>> I can't set the permissions on the root of the share.  error: 
>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>
>>> I set the SeDiskOperatorPrivilege, created the folder with 
>>> permissions as stated in the wiki, and set smb.conf as described. 
>>> What might I be missing?
>>>
>>> root at filesvr:~# net rpc rights list privileges 
>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>> Password for [SDCP\peter]:
>>> SeDiskOperatorPrivilege:
>>>    SDCP\Domain Admins
>>>    BUILTIN\Administrators
>>>
>>> root at filesvr:~# ls -l /data
>>> drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test
>>
>> What are the permissions set on /data ?
>>
>> What does 'getfacl /data/test' produce ?
>>
>> Rowland
>>
> root at filesvr:~# ls -l /
> drwxr-xr-x  16 root root       4096 Dec 20 13:01 data
> 
> root at filesvr:~# getfacl /data/test
> getfacl: Removing leading '/' from absolute path names
> # file: data/test
> # owner: root
> # group: SDCP\\domain\040admins
> user::rwx
> user:root:rwx
> user:SDCP\\domain\040admins:rwx
> user:SDCP\\domain\040users:rwx
> group::rwx
> group:SDCP\\domain\040admins:rwx
> group:SDCP\\domain\040users:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:SDCP\\domain\040users:rwx
> default:group::r-x
> default:group:SDCP\\domain\040admins:r-x
> default:group:SDCP\\domain\040users:rwx
> default:mask::rwx
> default:other::r-x

OK, your user should be able to get to the 'data' directory via 'others'

drwxr-xr-x  16 root root       4096 Dec 20 13:01 data

Where, because the permissions are these:

drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test

His membership of Domain Admins should allow entry into 'test'

However, you also wrote this 'On a different server showing my 
membership', what do you get if you run 'groups' on 'filesvr' ?

Rowland

More information about the samba mailing list