samba - Oct 2024 - User and Group Permissions in a Workgroup

Good day,
when I am using SAMBA in a workgroup only (i.e. without a domain
controller), is it still possible to assign users to different groups and
grant different permissions, based on the groups?

I am asking because I encountered the following problem:
I have set up a new SAMBA server that is completely standalone and using a
workgroup only. Now, I added a couple users, and I wanted to adjust some
folder permissions from windows, using the Windows Explorer, like here

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder

and I saw that I cannot change the permissions. The error returned is that
the permission is denied. Funny enough, I can create, add and modify files
and folders just fine.

I then thought, well, maybe this has to do with the
SeDiskOperatorPrivilege. And of course, this privilege is granted to
builtin\Administrators, and my workgroup users are not part of that group.
I tried now quite a long time to add users to the builtin\Administrators
group, but I failed. So I wonder, is it probably not possible to allow
permissions to be changed from the Windows side, when only a workgroup is
used?

I have used the following configs in the smb.conf:

ea support = yes
inherit acls = yes
acl_xattr:ignore system acls = yes
inherit permissions = yes
vfs objects = acl_xattr
map acl inherit = yes

and the folder, where I have my share in, has permissions 0777 (for test
purposes....).

Thanks for any hints!
Tobias

On Wed, 2 Oct 2024 14:52:48 +0200
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Good day,
> when I am using SAMBA in a workgroup only (i.e. without a domain
> controller), is it still possible to assign users to different groups
> and grant different permissions, based on the groups?
Yes
> 
> I am asking because I encountered the following problem:
> I have set up a new SAMBA server that is completely standalone and
> using a workgroup only. Now, I added a couple users, and I wanted to
> adjust some folder permissions from windows, using the Windows
> Explorer, like here
> 
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder
> 
> and I saw that I cannot change the permissions. The error returned is
> that the permission is denied. Funny enough, I can create, add and
> modify files and folders just fine.
> 
> I then thought, well, maybe this has to do with the
> SeDiskOperatorPrivilege. And of course, this privilege is granted to
> builtin\Administrators, and my workgroup users are not part of that
> group. I tried now quite a long time to add users to the
> builtin\Administrators group, but I failed. So I wonder, is it
> probably not possible to allow permissions to be changed from the
> Windows side, when only a workgroup is used?
> 
> I have used the following configs in the smb.conf:
> 
> ea support = yes
> inherit acls = yes
> acl_xattr:ignore system acls = yes
> inherit permissions = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> 
> and the folder, where I have my share in, has permissions 0777 (for
> test purposes....).
> 
> Thanks for any hints!
> Tobias
Your problem is that while you are running Samba as a standalone
server, you seem to be trying to treat it as if it is domain joined.

There is no usable 'BUILTIN' domain on a standalone server, all a
Samba standalone server knows is the users in /etc/passwd that have
made into Samba users with 'smbpasswd -a' and the groups in /etc/group.

You can use 'acl_xattr', but it will not work with 'acl_xattr:ignore
system acls = yes', it needs to set the Unix acls (ugo).

Rowland