Hey Chris, When mapping the share in Windows and checking the properties of the share, does your Domain Admins account appear within the permissions list? If so, does it list it as being Full Control or Read and Execute? If it lists it as Read/Execute, this is most likely why you are getting permission denied. There are 2 things you can try to do to remedy. First, if you remove the line acl_xattr:ignore system acls = true from your samba share configuration, restart samba then check the permissions you should then see the Domain Admins group has full control rather than read and execute. Otherwise, if you're to make the owner user on a linux a domain user who is part of domain admins (ex. chown domain\user:domain\domain admins share), you should then be able to connect to the share with that user, then grant the Domain Admins group full control, and from there modify permissions on the share further. Regards, Bailey
On Thu, Sep 22, 2022 at 7:01 PM Bailey Allison <ballison at 45drives.com> wrote:> When mapping the share in Windows and checking the properties of the share, > does your Domain Admins account appear within the permissions list? If so, > does it list it as being Full Control or Read and Execute?The Domain Admins account appears in the list but it has no ACL rights as shown on the security tab. None of the listed accounts has any rights (Everyone, root, CREATOR OWNER, CREATOR GROUP, Domain Admins). All accounts do show a checkmark of Allow for Special Permissions. All attempts to edit the rights returns "Access is denied". The above is the same regardless of the owner of the shared directory or whether or not the line acl_xattr:ignore system acls = true is in the share. Reading through the smb.conf man page I ran across this: ========================= map acl inherit (S) This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI (POSIX ACL Inheritance). This parameter requires supports for extended attributes on the filesystem and allows the Windows ACL editor to store inheritance information while NT ACLs are mapped best-effort to the POSIX ACLs. =========================Should there be an actual file with this name as I cannot find any file named user.SAMBA_PAI (even replacing 'user' with wildcard). Chris