Setting up a Share Using Windows ACLs: Difference between revisions

From SambaWiki
m (added the "-I dc1.samdom.example.com" option to the net rpc line as the member server tries localhost if absent)
mNo edit summary
 
(72 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Extended access control lists (ACL) enable you to set permissions on shares, files, and directories using Windows ACLs and applications. Samba supports shares using extended ACLs on:
Samba allows you, since version 4, to do most share configuration via windows, which is also the recommended way. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following documentation will give you an overview of how to manage shares.
* Domain members
* Active Directory (AD) domain controllers (DC)
* NT4 primary domain controller (PDC)
* NT4 backup domain controllers (BDC)
* Standalone hosts


Please note, that it's also possible to [[Setup_and_configure_file_shares_with_POSIX_ACLs|configure shares and ACLs, using the classic way with POSIX ACLs and smb.conf parameters]].








= Preparing the Host =


You need to set up Samba before you are able to create a share. Depending on what type of Samba server you require, see:
= Preparatory work =
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]]
* [[Active_Directory_Domain_Controller|Setting up Samba as AD DC]]
* [[Setting_up_Samba_as_an_NT4_PDC_(Quick_Start)|Setting up Samba as an NT4 PDC (Quick Start)]]
* [[Setting_up_Samba_as_an_NT4_BDC|Setting up Samba as an NT4 BDC]]
* [[Setting_up_Samba_as_a_Standalone_Server|Setting up Samba as a Standalone Server]]


== Filesystem support ==


To use the advanced features of Samba, it has to be compiled with ACL support (e. g. RHEL requires the libacl-devel to be installed, when compiling). Also you need a filesystem that supports the "user" and "system" xattr namespaces. It also needs to have ACL and XATTR support.


== File System Support ==
XFS and ext4 automatically support ACLs. If you are using ext3 for your file system, you may need to include the options "user_xattr" and "acl" in your /etc/fstab entries. Example:


The file system, the share will be created on, must support:
/dev/sda3 /srv/samba/Demo ext3 user_xattr,acl,barrier=1 1 1
* user and system <code>xattr</code> name spaces.
* extended access control lists (ACL).


For further details, see [[File_System_Support|File system support]].
Note: The "barrier=1" option ensures that tdb transactions are safe against unexpected power loss. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/writebarrieronoff.html More information on barriers from RedHat]


Please be careful modifying your fstab. It can lead to an unbootable system!


You could test as follows:


== Samba Extended ACL Support ==
# lsof | grep srv/samba/Demo


To create a share with extended access control list (ACL) support, the <code>smbd</code> service must have been built with ACL support enabled. A Samba host working as an Active Directory (AD) domain controller (DC), is always enabled with extended ACL support.
If there is output, stop the corresponding services cleanly. If there is no output, it is safe to unmount the partition, assuming it is mounted:


To verify if Samba has been built with ACL support, enter:
# umount /srv/samba/Demo


# smbd -b | grep HAVE_LIBACL
After making changes to fstab, try remounting the drive:
HAVE_LIBACL


If no output is displayed:
# mount -a
* Samba was built using the <code>--with-acl-support=no</code> parameter.
* The Samba <code>configure</code> script was unable to locate the required libraries for ACL support. For details, see [[Package Dependencies Required to Build Samba]].


== ACL support on member server ==


The following is only <u>required on Domain Member Servers and not on Domain Controllers</u>!


* Add the following to your [global] section of your smb.conf:


vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes


== Enable Extended ACL Support on a Unix domain member ==
:These options are required on Member Servers, to enable the possibility for real windows ACL's. Domain Controllers have ACL support enabled globally by default!


Ideally you have a system that supports [[NFS4_ACL_overview|NFS4 ACLs]]. The following example is for systems like Linux, where you don't have those kind of ACLs. To configure shares using extended access control lists (ACL) on a Unix domain member, you must enable the support in the <code>smb.conf</code> file. To enable extended ACL support globally, add the following settings to the <code>[global]</code> section of your <code>smb.conf</code> file:


vfs objects = acl_xattr
map acl inherit = yes
# the next line is only required on Samba versions less than 4.9.0
store dos attributes = yes


{{Imbox
== SeDiskOperatorPrivilege ==
| type = important
| text = On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically enabled globally. You must not enable the support manually.
}}


Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section.
* To configure share permissions, you need an account with „SeDiskOperatorPrivilege“. To grant this privilege, e. g. to the „Domain Admin“ group, run the following command on your AD member server(s):


For further details about the parameters, see the <code>smb.conf(5)</code> man page.
# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -U'SAMDOM\administrator' -I dc1.samdom.example.com


:Existing privileges can be reviewed by


# net rpc rights list accounts -U'SAMDOM\administrator' -I dc1.samdom.example.com


= Adding a new share =



* Create a folder that you want to share:
== Granting the <code>SeDiskOperatorPrivilege</code> Privilege ==

Only users and groups having the <code>SeDiskOperatorPrivilege</code> privilege granted can configure share permissions.

{{Imbox
| type = note
| text = Only users or groups that are known to Unix can be used. This means that if you use the winbind 'ad' backend on Unix domain members, you must add a uidNumber attribute to users, or a gidNumber to groups in AD.
}}

{{Imbox
| type = note
| text = If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the <code>Domain Admins</code> group in AD, you will break the mapping in <code>idmap.ldb</code>. <code>Domain Admins</code> is mapped as <code>ID_TYPE_BOTH</code> in <code>idmap.ldb</code>, this is to allow the group to own files in <code>Sysvol</code> on a Samba AD DC. It is suggested you create a new AD group (<code>Unix Admins</code> for instance), give this group a <code>gidNumber</code> attribute and add it to the <code>Administrators</code> group and then, on Unix, use the group wherever you would normally use <code>Domain Admins</code>.
}}


If you are using the 'ad' winbind idmap backend, then you should use the 'Unix Admins' group you were advised to create above. However, if you use any other winbind idmap backend (autorid or rid, for instance), then you can use the 'Domain Admins' group.


To grant the privilege to the <code>Domain Admins</code> group, enter:

# net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.

To grant the privilege to the <code>Unix Admins</code> group, enter:

# net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.


{{Imbox
| type = note
| text = It is recommended to grant the privilege to a group instead of individual accounts. This enables you to add and revoke the privilege by updating the group membership.
}}

To list all users and groups having the <code>SeDiskOperatorPrivilege</code> privilege granted, enter:

# net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter administrator's password:
SeDiskOperatorPrivilege:
BUILTIN\Administrators
SAMDOM\Unix Admins

{{Imbox
| type = important
| text = You need to grant the <code>SeDiskOperatorPrivilege</code> privilege on the Samba server that holds the share.
}}





= Adding a Share =

To share the <code>/srv/samba/Demo/</code> directory using the <code>Demo</code> share name:

* As the <code>root</code> user, create the directory:

# mkdir -p /srv/samba/Demo/
# mkdir -p /srv/samba/Demo/


* To enable accounts other than the domain user <code>Administrator</code> to set permissions on Windows, grant <code>Full control</code> (<code>rwx</code>) to the user or group you granted the <code>SeDiskOperatorPrivilege</code> privilege. For example (if using the 'ad' backend):
You now need to allow access to the directory (or you will not be able to change the ACLs from windows).

For this example we will use 'Domain Admins' , you can use another group or user.
# setfacl -m g:domain_admins:rwx /srv/samba/Demo/
# chown root:"Unix Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/

* Otherwise for any other backend:

# chown root:"Domain Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/

* Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file:


* Add a new share to your smb.conf (using no other configuration parameters when first setting up a share is highly recommended!):
[Demo]
[Demo]
path = /srv/samba/Demo/
path = /srv/samba/Demo/
read only = no
read only = no

: Further share-specific settings and file system permissions are set using the Windows utilities.


:{{Imbox
| type = important
| text = Do not set <code>ANY</code> additional share parameters, such as <code>force user</code> or <code>valid users</code>. Adding them to the share definition can prevent you from configuring or using the share.
}}


If you are setting the shares permissions from Windows (recommended), you should add this line to your share:
acl_xattr:ignore system acls = yes

This will make Samba ignore the system ACL's (ugo). This means that when you run <code>setfacl</code> on the shares directory, it will not show any permission modifications you may have have done from Windows. Do not add this line until you have set up the share permissions from Windows, otherwise you may find that you are denied permission to change the permissions from Windows.


* Reload the Samba configuration:


* Reload Samba:
# smbcontrol all reload-config
# smbcontrol all reload-config


= Setup share permissions =


* Log on to a Windows machine, using an account to which the „SeDiskOperatorPrivilege“ was granted, or an account in a group with the granted privilege.


* Open the Start Menu and search for „Computer Management“.


* In the menu bar go to „Action“ / „Connect to another computer“.


= Setting Share Permissions and ACLs =
* Enter the name of the Samba server you have create the new share on.


When you configure a share with extended access control lists (ACL) support, you set the share permissions using Windows utilities instead of adding parameters to the share section in the <code>smb.conf</code> file.
* Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the newly added share.

To set permissions and ACLs on the <code>Demo</code> share:

* Log on to a Windows host using an account that has the <code>SeDiskOperatorPrivilege</code> privilege granted. e.g. <code>SAMDOM\Administrator</code> or <code>SAMDOM\john</code> where <code>john</code> is a member of <code>Unix Admins</code>.

* Click <code>Start</code>, enter <code>Computer Management</code>, and start the application.

* Select <code>Action</code> / <code>Connect to another computer</code>.

* Enter the name of the Samba host and click <code>OK</code> to connect the console to the host.

* Open the <code>System Tools</code> / <code>Shared Folders</code> / <code>Shares</code> menu entry.


:[[Image:Computer_Management_Shares.png]]
:[[Image:Computer_Management_Shares.png]]


* Right-click to the share name, choose „Properties“ .


* Go to the „Share Permissions“ tab. Here you can configure who can access the share and the appropriate permissions.


:[[Image:Demo_Share_Permissions.png]]


* Right-click to the share and select <code>Properties</code>.
* Go to the „Security“ tab, click the „Edit“ button and configure the filesystem permissions.

* Select the <code>Share Permissions</code> tab and check the share permissions, you need to see <code>Everyone</code>. For example:
:[[Image:share.png]]

{{Imbox
| type = important
| text = If the permissions are as above, you do not need to change anything, if not, change it to just allow <code>Everyone</code> : <code>Full Control, Change and Read</code>. You should only need to make changes to the <code>Security</code> tab.
}}

: Samba stores the share tab permissions in the <code>/usr/local/samba/var/locks/share_info.tdb</code> database.




* Select the <code>Security</code> tab.

* Click the <code>Edit</code> button and set the file system ACLs on the share's root directory. For example:


:[[Image:Demo_Share_Security.png]]
:[[Image:Demo_Share_Security.png]]


: For details about using the <code>SYSTEM</code> account on a Samba share see [[The SYSTEM Account]].
* Save the changes by closing the windows with „OK“.


: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].


* Click the <code>Add</code> button.


* Click <code>Advanced</code> button


* Click <code>Find Now</code>


* Select a user or group from the list, <code>Domain Users</code> for instance.
= Change permissions on folders of a share =


* Click <code>OK</code>
* Log on to a Windows machine as Domain Administrator.


* Click <code>OK</code>
* Navigate to the folder of which you want to change the permissions.


* Select permissions to grant, <code>Full control</code> for instance.
* Right-click to the folder and choose „Properties“.


* A windows security box should open, asking if you want to continue, Click <code>Yes</code>
* Go to the „Security“ tab and click the „Edit“ button.


* If you check the list of <code>Group or user names</code>, you should find <code>Domain Users</code> listed
* Change the permissions to your needs.

* Click <code>OK</code> to close the <code>Permissions for Demo</code> window.

* Click <code>OK</code> to store the updated settings.

For further details about configuring share permissions and ACLs, see the Windows documentation.





= Setting ACLs on a Folder =

To set file system permissions on a folder located on a share that uses extended access control lists (ACL):

* Log on to a Windows host using an account that has <code>Full control</code> on the folder you want to modify the file system ACLs.

* Navigate to the folder.

* Right-click to the folder and select <code>Properties</code>.

* Select the <code>Security</code> tab and click the <code>Edit</code> button.

* Set the permission. For example:


:[[Image:Folder_Permissions.png]]
:[[Image:Folder_Permissions.png]]


: For details about using the <code>SYSTEM</code> account on a Samba share see [[The SYSTEM Account]].
* Save the changes by closing the windows with „OK“.


: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].


* Click <code>OK</code> to close the <code>Permissions for Folder</code> window.


* Click <code>OK</code> to store the updated settings.


For further details about setting ACLs, see the Windows documentation.


= Troubleshooting =


In certain situations, share configuration parameters which were commonly used with NT-style domains such as "force group" or "force user" may lead to "Access Denied" errors when trying to set permissions on a new share, or other complications, such as losing the ability to even see the Security tab. You may find even after correcting the issues that the problems may persist even after removing and re-adding the share properly. In such cases, it may be helpful to manually wipe out all ACLs on the share and recursively re-grant full control to the Domain Admins group with the setfacl command as follows (may need to run as root):


# setfacl -b /path/to/share
# setfacl -b /path/to/share/*
# setfacl -R -m default:group:domain\ admins:rwx /path/to/share




= File System ACLs in the Back End =


Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute. For example:

* To list the extended ACLs of the <code>/srv/samba/Demo/</code> directory, enter:

# getfacl /srv/samba/Demo/
# file: srv/samba/Demo/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::---

* To list the <code>security.NTACL</code> extended attribute of the <code>/srv/samba/Demo/</code> directory, enter:

# getfattr -n security.NTACL -d /srv/samba/Demo/
# file: srv/samba/Demo/
security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA

The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:

{| class="wikitable"
!Principal
!Permissions
!Applies to
|-
|Domain Users (SAMDOM\Domain Users)
|Modify, Read & execute, List folder contents, Read, Write
|(This folder, subfolders and files)
|-
|Unix Admins (SAMDOM\Unix Admins)
|Full control
|(This folder, subfolders and files)
|}

* To get the ACL in a more readable form, enter:

# samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
# O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f01ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)




= Troubleshooting =


For troubleshooting, see:
* [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]
* [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]]




= Related documentation =


The following documentation explains how to set up file shares with special permissions or purpose:


* [[Setting_up_a_home_share|Setting up a home share]]


----
* [[Samba_%26_Windows_Profiles|Samba and Windows Profiles]]
[[Category:Active Directory]]
[[Category:Domain Members]]
[[Category:File Serving]]
[[Category:NT4 Domains]]

Latest revision as of 14:37, 22 March 2023

Introduction

Extended access control lists (ACL) enable you to set permissions on shares, files, and directories using Windows ACLs and applications. Samba supports shares using extended ACLs on:

  • Domain members
  • Active Directory (AD) domain controllers (DC)
  • NT4 primary domain controller (PDC)
  • NT4 backup domain controllers (BDC)
  • Standalone hosts



Preparing the Host

You need to set up Samba before you are able to create a share. Depending on what type of Samba server you require, see:


File System Support

The file system, the share will be created on, must support:

  • user and system xattr name spaces.
  • extended access control lists (ACL).

For further details, see File system support.


Samba Extended ACL Support

To create a share with extended access control list (ACL) support, the smbd service must have been built with ACL support enabled. A Samba host working as an Active Directory (AD) domain controller (DC), is always enabled with extended ACL support.

To verify if Samba has been built with ACL support, enter: 

# smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL

If no output is displayed:



Enable Extended ACL Support on a Unix domain member

Ideally you have a system that supports NFS4 ACLs. The following example is for systems like Linux, where you don't have those kind of ACLs. To configure shares using extended access control lists (ACL) on a Unix domain member, you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file: 

vfs objects = acl_xattr
map acl inherit = yes
# the next line is only required on Samba versions less than 4.9.0
store dos attributes = yes

Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section.

For further details about the parameters, see the smb.conf(5) man page.



Granting the SeDiskOperatorPrivilege Privilege

Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure share permissions.


If you are using the 'ad' winbind idmap backend, then you should use the 'Unix Admins' group you were advised to create above. However, if you use any other winbind idmap backend (autorid or rid, for instance), then you can use the 'Domain Admins' group.


To grant the privilege to the Domain Admins group, enter: 

# net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.


To grant the privilege to the Unix Admins group, enter: 

# net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.


To list all users and groups having the SeDiskOperatorPrivilege privilege granted, enter: 

# net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter administrator's password:
SeDiskOperatorPrivilege:
  BUILTIN\Administrators
  SAMDOM\Unix Admins



Adding a Share

To share the /srv/samba/Demo/ directory using the Demo share name:

  • As the root user, create the directory:
# mkdir -p /srv/samba/Demo/
  • To enable accounts other than the domain user Administrator to set permissions on Windows, grant Full control (rwx) to the user or group you granted the SeDiskOperatorPrivilege privilege. For example (if using the 'ad' backend):
# chown root:"Unix Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/
  • Otherwise for any other backend:
# chown root:"Domain Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/
  • Add the [Demo] share definition to your smb.conf file:
[Demo]
       path = /srv/samba/Demo/
       read only = no
Further share-specific settings and file system permissions are set using the Windows utilities.



If you are setting the shares permissions from Windows (recommended), you should add this line to your share: 

acl_xattr:ignore system acls = yes

This will make Samba ignore the system ACL's (ugo). This means that when you run setfacl on the shares directory, it will not show any permission modifications you may have have done from Windows. Do not add this line until you have set up the share permissions from Windows, otherwise you may find that you are denied permission to change the permissions from Windows.


  • Reload the Samba configuration:
# smbcontrol all reload-config



Setting Share Permissions and ACLs

When you configure a share with extended access control lists (ACL) support, you set the share permissions using Windows utilities instead of adding parameters to the share section in the smb.conf file.

To set permissions and ACLs on the Demo share:

  • Log on to a Windows host using an account that has the SeDiskOperatorPrivilege privilege granted. e.g. SAMDOM\Administrator or SAMDOM\john where john is a member of Unix Admins.
  • Click Start, enter Computer Management, and start the application.
  • Select Action / Connect to another computer.
  • Enter the name of the Samba host and click OK to connect the console to the host.
  • Open the System Tools / Shared Folders / Shares menu entry.
Computer Management Shares.png



  • Right-click to the share and select Properties.
  • Select the Share Permissions tab and check the share permissions, you need to see Everyone. For example:
Share.png
Samba stores the share tab permissions in the /usr/local/samba/var/locks/share_info.tdb database.



  • Select the Security tab.
  • Click the Edit button and set the file system ACLs on the share's root directory. For example:
Demo Share Security.png
For details about using the SYSTEM account on a Samba share see The SYSTEM Account.
For details where the ACLs are stored, see File System ACLs in the Back End.
  • Click the Add button.
  • Click Advanced button
  • Click Find Now
  • Select a user or group from the list, Domain Users for instance.
  • Click OK
  • Click OK
  • Select permissions to grant, Full control for instance.
  • A windows security box should open, asking if you want to continue, Click Yes
  • If you check the list of Group or user names, you should find Domain Users listed
  • Click OK to close the Permissions for Demo window.
  • Click OK to store the updated settings.

For further details about configuring share permissions and ACLs, see the Windows documentation.



Setting ACLs on a Folder

To set file system permissions on a folder located on a share that uses extended access control lists (ACL):

  • Log on to a Windows host using an account that has Full control on the folder you want to modify the file system ACLs.
  • Navigate to the folder.
  • Right-click to the folder and select Properties.
  • Select the Security tab and click the Edit button.
  • Set the permission. For example:
Folder Permissions.png
For details about using the SYSTEM account on a Samba share see The SYSTEM Account.
For details where the ACLs are stored, see File System ACLs in the Back End.
  • Click OK to close the Permissions for Folder window.
  • Click OK to store the updated settings.

For further details about setting ACLs, see the Windows documentation.



File System ACLs in the Back End

Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute. For example:

  • To list the extended ACLs of the /srv/samba/Demo/ directory, enter:
# getfacl /srv/samba/Demo/
# file: srv/samba/Demo/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::---
  • To list the security.NTACL extended attribute of the /srv/samba/Demo/ directory, enter:
# getfattr -n security.NTACL -d /srv/samba/Demo/
# file: srv/samba/Demo/
security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA

The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:

Principal Permissions Applies to
Domain Users (SAMDOM\Domain Users) Modify, Read & execute, List folder contents, Read, Write (This folder, subfolders and files)
Unix Admins (SAMDOM\Unix Admins) Full control (This folder, subfolders and files)
  • To get the ACL in a more readable form, enter:
# samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
# O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f01ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)



Troubleshooting

For troubleshooting, see:



Retrieved from "https://wiki.samba.org/index.php?title=Setting_up_a_Share_Using_Windows_ACLs&oldid=18825"