Setting up a Share Using POSIX ACLs

From SambaWiki


Samba allows you, to do most share configurations via Windows and using Windows ACLs. This is also the recommended way!

But it is also possible to set ACLs directly on the filesystem and define access to the share in the smb.conf share configuration. This guide describes the way of accomplish this.

Important information:

Samba Active Directory Domain Controllers have enabled extended ACL support globally. For this kind of Samba servers, you can't choose this way to setup shares and permissions. See Setup and configure file shares with Windows ACLs instead.

Preparatory work

It's possible to have a mixed configuration of shares with Windows ACL support and POSIX ACL shares. But in that case, the Windows ACL support must not be enabled globally!

Execution of files

With Samba 3.6 and older, the execution right in the ACL was not checked. So a user could execute a file, even if he/she did not have execute rights on it. In Samba 4 and later, this has been fixed, so that by default, execution is denied, when the file doesn't have the x-bit set!

In some situations, like when upgrading from an older Samba version, your files may haven't the x-Bit set, due to a previous configuration. A workaround, to make *.exe, *.bat, etc. files executable again, is to set

acl allow execute always = True

in your smb.conf (per share or globally). But rate this as a workaround! You should fix the permissions and add the x-bit for user/group/other, when the file should be executed.

Adding a new share

  • Create a folder to be shared:
# mkdir -p /srv/samba/Demo/
  • Add a new share to your smb.conf. The following is the required minimum:
     path = /srv/samba/Demo/
     read only = no
  • Reload Samba:
# smbcontrol all reload-config

Setup share permissions

Share permissions are defined in your servers smb.conf section indiviually for each share. After changes, a reload of Samba is required!


       path = /srv/samba/Demo
       read only = no
       valid users = +SAMDOM\DemoGroup
       guest ok = no


path = /srv/samba/Demo
# Defines the location of the folder in the local filesystem.
read only = no
# The share is read/write enabled.
valid users = +SAMDOM\DemoGroup
# Only members of this domain group are allowed to access the share.
# Filesystem ACLs are not affected by this setting.
guest ok = no
# It's not allowed to access the share without password (guest account).

This are just a few possible parameters, that can be set on a share. See

# man smb.conf

for more share parameters and their options.

Change permissions on folders of a share

Changes of permissions are done using the classic *nix tools 'chmod', 'chown' and 'chgrp'.


# mkdir /srv/samba/Demo/Example/
# chown foobar:DemoGroup /srv/samba/Demo/Example/
# chmod 2770 /srv/samba/Demo/Example/

These commands create a new folder 'Example' in the root of the 'Demo' share previously created. The permissions ('2770') define that the user ('foobar') and the group ('DemoGroup') have read/write/execute on the folder. The set-GID-bit defines that all files/folders below this one, inherit the group ('DemoGroup') from the parent folder.

Related documentation

The following documentation treat topics, related on setting up file shares with special permissions or purposes: