I am trying to set up a samba file server with the following 2 characteristics: 1) use RSAT tools to set ACLs 2) new folders / files need to have group write permissions ?? ?ie: UserData = Domain Users ?? ?ie: AdminData = Domain Admins ?? ?ie: Accounting = Accounting I think I'm about 90% of the way there after reading and following this guide: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Problems: 1) failed to enumerate objects in the container: Access is denied.? (https://snipboard.io/K27jAc.jpg) 2) group permissions are always 750, I would like them to be 770 Setup: Windows Network with about a dozen workstations (Surface Pros) running Windows 11 Active Directory running on Synology DSM Proxmox Hypervisor ?? ?Guest: mariadb ?? ?Guest: LAMP for middleware ?? ?Guest: LAMP for public facing web server ?? ?Guest: 3CX debian ?? ?Guest: File Server File Server: Samba Version 4.15.9 Ubuntu Server 22.04.1 root at filesvr:/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "SDCP\administrator" Password for [SDCP\administrator]: SeDiskOperatorPrivilege: ? SDCP\linux admins ? BUILTIN\Administrators [global] security = ads idmap config SDCP : range = 2000000-2999999 idmap config SDCP : backend = rid idmap config * : range = 10000-999999 idmap config * : backend = tdb winbind use default domain = no winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no [Test] ??? path = /data/test ??? comment = test ??? writable = yes ??? guest ok = no ??? inherit permissions??? = yes ??? inherit acls?????????? = yes ??? vfs objects = acl_xattr ??? acl_xattr:ignore system acls = yes ??? valid users = "@SDCP\Domain Users" root at filesvr:/data# ls -l drwxrwxrwt? 3 root SDCP\linux admins??? 4096 Oct? 2 15:07 test root at filesvr:/data# ls -l test/ drwxr-xr-t 2 SDCP\office???? SDCP\domain users? 4096 Oct? 2 15:08 officefld -rwxr--r-- 1 SDCP\peter????? SDCP\domain admins?? 17 Sep 30 23:59 Windows.txt root at filesvr:/data# ls -l test/officefld/ -rw-r--r-- 1 SDCP\office SDCP\domain users 4 Oct? 2 15:08 test.txt
On 03/10/2022 15:38, Peter Carlson via samba wrote:> I am trying to set up a samba file server with the following 2 > characteristics: > 1) use RSAT tools to set ACLsNo you are not ;-)> 2) new folders / files need to have group write permissions > ?? ?ie: UserData = Domain Users > ?? ?ie: AdminData = Domain Admins > ?? ?ie: Accounting = Accounting > > I think I'm about 90% of the way there after reading and following this > guide: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsI think you are about 90% away from setting up the permissions Try this smb.conf: [global] security = ads idmap config SDCP : range = 2000000-2999999 idmap config SDCP : backend = rid idmap config * : range = 10000-999999 idmap config * : backend = tdb winbind refresh tickets = yes winbind offline logon = yes vfs objects = acl_xattr map acl inherit = yes [Test] path = /data/test comment = test read only = no acl_xattr:ignore system acls = yes The last line in the share is interesting, it means what it it says, ignore the system (Linux) acls, you can set these to what you like and Samba WILL ignore them. I suggest you read the wiki page again and follow it to the letter. you may also need to install the 'acl' and 'attr' packages. You should also be aware that synology uses its own version of Samba, so something of theirs could be getting in the way, this is just a possibility.