Hello folks, I have some directories within a samba 3.x share which I want to give granulated security settings for various users and groups. I could use of course "setfacl" and POSIX ACLs to accomplish that, but some of these ACL should be also able to be set by some users. These users of course has no access to my linux host where samba3 is running, so they only can do that by right-clicking the directory/file and set the permissions through Windows explorer. Unfortunately this doesn't work in our case. My filesystem where the samba3 shares reside on is mounted with acl and xattr and I have double-checked that. Posix ACLs work fine. But as soon as the owner of a directory or file tries to add some other users with access on it, the change is not applied after clicking on the button "Apply". It looks like the windows client cannot set these security settings. My share looks like that: [share1] path = /disk01/share1 admin users = "@Domain Admins" read only = No create mask = 0775 directory mask = 0775 nt acl support = yes vfs objects = acl_xattr invalid users = @restricted the command "mount" shows: [...] /dev/xvdb1 on /disk01 type ext4 (rw,acl,user_xattr) [...] What am I doing wrong, why this doesn't work? Any help appreciated. Thanks in advance, Lucas.
miguelmedalha at sapo.pt
2013-May-08 13:10 UTC
[Samba] Using Windows ACL on a samba3 share
From the Samba HOWTO: ? The net command can be used to obtain the currently supported capabilities for rights and privileges using this method: root# net rpc rights list -U root%not24get SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeRemoteShutdownPrivilege Force shutdown from a remote system SeDiskOperatorPrivilege Manage disk shares SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeTakeOwnershipPrivilege Take ownership of files or other objects Machine account privilege is necessary to permit a Windows NT4 or later network client to be added to the domain. *The disk operator privilege is necessary to permit the user to manage share ACLs and file and directory ACLs for objects not owned by the user.* ? http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id2601333
Apparently Analagous Threads
- ADUC tool cannot creates users home directory
- Dynamic dns updates fail for (most) xp, vista and win7 clients
- SAMBA+LDAP-How to promote Administrator with all priviliges?
- printer drivers from windows 7 MMC?
- domain users "primary group" does not take effect in UNIX attributes (NIS)