[Samba] windows acls

Rowland Penny rpenny at samba.org
Tue Mar 28 15:40:15 UTC 2023



On 28/03/2023 15:50, Peter Carlson via samba wrote:
> 
> On 3/28/23 07:36, Rowland Penny via samba wrote:
>>
>>
>> On 28/03/2023 15:08, Peter Carlson via samba wrote:
>>>
>>> On 3/28/23 01:33, Rowland Penny via samba wrote:
>>>>
>>>>
>>>> On 28/03/2023 01:59, Peter Carlson via samba wrote:
>>>>> I am having troubles with windows ACLs.  I have been following the 
>>>>> wiki 
>>>>> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) and must have messed something up.
>>>>> I can't set the permissions on the root of the share. error: 
>>>>> https://pasteboard.co/yJadpk2bH0pJ.png
>>>>>
>>>>> I set the SeDiskOperatorPrivilege, created the folder with 
>>>>> permissions as stated in the wiki, and set smb.conf as described. 
>>>>> What might I be missing?
>>>>>
>>>>> root at filesvr:~# net rpc rights list privileges 
>>>>> SeDiskOperatorPrivilege -U SDCP\\peter
>>>>> Password for [SDCP\peter]:
>>>>> SeDiskOperatorPrivilege:
>>>>>    SDCP\Domain Admins
>>>>>    BUILTIN\Administrators
>>>>>
>>>>> root at filesvr:~# ls -l /data
>>>>> drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test
>>>>
>>>> What are the permissions set on /data ?
>>>>
>>>> What does 'getfacl /data/test' produce ?
>>>>
>>>> Rowland
>>>>
>>> root at filesvr:~# ls -l /
>>> drwxr-xr-x  16 root root       4096 Dec 20 13:01 data
>>>
>>> root at filesvr:~# getfacl /data/test
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: data/test
>>> # owner: root
>>> # group: SDCP\\domain\040admins
>>> user::rwx
>>> user:root:rwx
>>> user:SDCP\\domain\040admins:rwx
>>> user:SDCP\\domain\040users:rwx
>>> group::rwx
>>> group:SDCP\\domain\040admins:rwx
>>> group:SDCP\\domain\040users:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:SDCP\\domain\040users:rwx
>>> default:group::r-x
>>> default:group:SDCP\\domain\040admins:r-x
>>> default:group:SDCP\\domain\040users:rwx
>>> default:mask::rwx
>>> default:other::r-x
>>
>> OK, your user should be able to get to the 'data' directory via 'others'
>>
>> drwxr-xr-x  16 root root       4096 Dec 20 13:01 data
>>
>> Where, because the permissions are these:
>>
>> drwxrwx---+  4 root SDCP\domain admins    4096 Oct  3 08:45 test
>>
>> His membership of Domain Admins should allow entry into 'test'
>>
>> However, you also wrote this 'On a different server showing my 
>> membership', what do you get if you run 'groups' on 'filesvr' ?
>>
>> Rowland
>>
>>
> ok, on the filsvr I can get to things as me:
> SDCP\peter at filesvr:~$ groups
> SDCP\domain admins BUILTIN\administrators BUILTIN\users SDCP\domain 
> users SDCP\denied rodc password replication group SDCP\dbusers 
> SDCP\peter SDCP\linux admins SDCP\remotedesktop SDCP\nextcloud users
> SDCP\peter at filesvr:~$ cd /data/test
> SDCP\peter at filesvr:/data/test$ ls
> officefld  peter-ad.txt  peter.txt  root.txt  test  Windows.txt
> SDCP\peter at filesvr:/data/test$ cat peter.txt
> 
> test from peter
> 
> however on windows, I get acces denied both when trying to set 
> permissions via computer management on the root of the share as well as 
> when trying to access the share via file explorer


I am using Samba 4.17.5 on a test machine with a share set up exactly 
like yours and using computer management on a Win10 computer, everything 
works for myself.

After comparing your smb.conf with mine, could you please try adding 
'winbind expand groups = 2' to your smb.conf, reload or restart Samba 
and try again.

Rowland




More information about the samba mailing list