Setting up a Share Using Windows ACLs: Difference between revisions

From SambaWiki
mNo edit summary
 
(97 intermediate revisions by 7 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Extended access control lists (ACL) enable you to set permissions on shares, files, and directories using Windows ACLs and applications. Samba supports shares using extended ACLs on:
Samba allows you, since version 4, to do most share configuration via windows, which is also the recommended way. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following documentation will give you an overview of how to manage shares.
* Domain members
* Active Directory (AD) domain controllers (DC)
* NT4 primary domain controller (PDC)
* NT4 backup domain controllers (BDC)
* Standalone hosts


Please note, that it's also possible to [[Setup_and_configure_file_shares_with_POSIX_ACLs|configure shares and ACLs, using the classic way with POSIX ACLs and smb.conf parameters]].


= Preparatory work =


== Filesystem support ==


To use the advanced features of Samba, it has to be compiled with ACL support (e. g. RHEL requires the libacl-devel to be installed, when compiling). Also you need a filesystem that supports the "user" and "system" xattr namespaces. It also needs to have ACL and XATTR support.


= Preparing the Host =
XFS automatically supports ACLs. If you are using either ext3 or ext4 for your file system, you may need to include the options "user_xattr" and "acl" in your /etc/fstab entries. Example:


You need to set up Samba before you are able to create a share. Depending on what type of Samba server you require, see:
/dev/sda3 /srv/samba/Demo ext4 user_xattr,acl 1 1
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]]
* [[Active_Directory_Domain_Controller|Setting up Samba as AD DC]]
* [[Setting_up_Samba_as_an_NT4_PDC_(Quick_Start)|Setting up Samba as an NT4 PDC (Quick Start)]]
* [[Setting_up_Samba_as_an_NT4_BDC|Setting up Samba as an NT4 BDC]]
* [[Setting_up_Samba_as_a_Standalone_Server|Setting up Samba as a Standalone Server]]


== ACL support on member server ==


The following is only <u>required on Domain Member Servers and not on Domain Controllers</u>!


== File System Support ==
* Add the following to your [global] section of your smb.conf:


The file system, the share will be created on, must support:
vfs objects = acl_xattr
* user and system <code>xattr</code> name spaces.
map acl inherit = Yes
* extended access control lists (ACL).
store dos attributes = Yes


For further details, see [[File_System_Support|File system support]].
:These options are required on Member Servers, to enable the possibility for real windows ACL's. Domain Controllers have ACL support enabled globally by default!


== SeDiskOperatorPrivilege ==


* To configure share permissions, you need an account with „SeDiskOperatorPrivilege“. To grant this privilege, e. g. to the „Domain Admin“ group, run the following command on your server:


== Samba Extended ACL Support ==
# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator


To create a share with extended access control list (ACL) support, the <code>smbd</code> service must have been built with ACL support enabled. A Samba host working as an Active Directory (AD) domain controller (DC), is always enabled with extended ACL support.
:Existing privileges you can reviewed by


To verify if Samba has been built with ACL support, enter:
# net rpc rights list accounts -Uadministrator


# smbd -b | grep HAVE_LIBACL
HAVE_LIBACL


If no output is displayed:
* Samba was built using the <code>--with-acl-support=no</code> parameter.
* The Samba <code>configure</code> script was unable to locate the required libraries for ACL support. For details, see [[Package Dependencies Required to Build Samba]].






= Adding a new share =



* Create a folder that you want to share
== Enable Extended ACL Support on a Unix domain member ==

Ideally you have a system that supports [[NFS4_ACL_overview|NFS4 ACLs]]. The following example is for systems like Linux, where you don't have those kind of ACLs. To configure shares using extended access control lists (ACL) on a Unix domain member, you must enable the support in the <code>smb.conf</code> file. To enable extended ACL support globally, add the following settings to the <code>[global]</code> section of your <code>smb.conf</code> file:

vfs objects = acl_xattr
map acl inherit = yes
# the next line is only required on Samba versions less than 4.9.0
store dos attributes = yes

{{Imbox
| type = important
| text = On a Samba Active Directory (AD) domain controller (DC), extended ACL support is automatically enabled globally. You must not enable the support manually.
}}

Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section.

For further details about the parameters, see the <code>smb.conf(5)</code> man page.





== Granting the <code>SeDiskOperatorPrivilege</code> Privilege ==

Only users and groups having the <code>SeDiskOperatorPrivilege</code> privilege granted can configure share permissions.

{{Imbox
| type = note
| text = Only users or groups that are known to Unix can be used. This means that if you use the winbind 'ad' backend on Unix domain members, you must add a uidNumber attribute to users, or a gidNumber to groups in AD.
}}

{{Imbox
| type = note
| text = If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the <code>Domain Admins</code> group in AD, you will break the mapping in <code>idmap.ldb</code>. <code>Domain Admins</code> is mapped as <code>ID_TYPE_BOTH</code> in <code>idmap.ldb</code>, this is to allow the group to own files in <code>Sysvol</code> on a Samba AD DC. It is suggested you create a new AD group (<code>Unix Admins</code> for instance), give this group a <code>gidNumber</code> attribute and add it to the <code>Administrators</code> group and then, on Unix, use the group wherever you would normally use <code>Domain Admins</code>.
}}


If you are using the 'ad' winbind idmap backend, then you should use the 'Unix Admins' group you were advised to create above. However, if you use any other winbind idmap backend (autorid or rid, for instance), then you can use the 'Domain Admins' group.


To grant the privilege to the <code>Domain Admins</code> group, enter:

# net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.

To grant the privilege to the <code>Unix Admins</code> group, enter:

# net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.


{{Imbox
| type = note
| text = It is recommended to grant the privilege to a group instead of individual accounts. This enables you to add and revoke the privilege by updating the group membership.
}}

To list all users and groups having the <code>SeDiskOperatorPrivilege</code> privilege granted, enter:

# net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter administrator's password:
SeDiskOperatorPrivilege:
BUILTIN\Administrators
SAMDOM\Unix Admins

{{Imbox
| type = important
| text = You need to grant the <code>SeDiskOperatorPrivilege</code> privilege on the Samba server that holds the share.
}}





= Adding a Share =

To share the <code>/srv/samba/Demo/</code> directory using the <code>Demo</code> share name:

* As the <code>root</code> user, create the directory:

# mkdir -p /srv/samba/Demo/
# mkdir -p /srv/samba/Demo/


* To enable accounts other than the domain user <code>Administrator</code> to set permissions on Windows, grant <code>Full control</code> (<code>rwx</code>) to the user or group you granted the <code>SeDiskOperatorPrivilege</code> privilege. For example (if using the 'ad' backend):
* Add a new share to your smb.conf:

# chown root:"Unix Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/

* Otherwise for any other backend:

# chown root:"Domain Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/

* Add the <code>[Demo]</code> share definition to your <code>smb.conf</code> file:

[Demo]
[Demo]
path = /srv/samba/Demo/
path = /srv/samba/Demo/
read only = no
read only = no


: Further share-specific settings and file system permissions are set using the Windows utilities.
* Reload Samba:
# smbcontrol all reload-config




:{{Imbox
| type = note
| text = If you set the shares permissions from Windows (The recommended way), you can add the line <code>'acl_xattr:ignore system acls = yes'</code> to your share. If the line is added, Samba will ignore the standard Unix system ACL's (ugo). Once the line is added, running <code>setfacl</code> on the shares directory will not show any permission modifications you may have made from Windows. '''You must not add this line until you have set up the share permissions from Windows, otherwise you may find that you are denied permission to change the permissions from Windows.'''. Only add the line if you will only connect to share via Samba.
}}




:{{Imbox
| type = important
| text = Do not set <code>ANY</code> additional share parameters, such as <code>force user</code> or <code>valid users</code>. Adding them to the share definition can prevent you from configuring or using the share.
}}


= Setup share permissions =


* Log on to a Windows machine using an account, to which the „SeDiskOperatorPrivilege“ was granted to or an account in a group with granted privilege.


* Open the Start Menu and search for „Computer Management“.


* In the menu bar go to „Action“ / „Connect to another computer“.


* Reload the Samba configuration:
* Enter the name of your Samba server, you've create the new share on.


# smbcontrol all reload-config
* Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the new added share.

= Setting Share Permissions and ACLs =

When you configure a share with extended access control lists (ACL) support, you set the share permissions using Windows utilities instead of adding parameters to the share section in the <code>smb.conf</code> file.

To set permissions and ACLs on the <code>Demo</code> share:

* Log on to a Windows host using an account that has the <code>SeDiskOperatorPrivilege</code> privilege granted. e.g. <code>SAMDOM\Administrator</code> or <code>SAMDOM\john</code> where <code>john</code> is a member of <code>Unix Admins</code>.

* Click <code>Start</code>, enter <code>Computer Management</code>, and start the application.

* Select <code>Action</code> / <code>Connect to another computer</code>.

* Enter the name of the Samba host and click <code>OK</code> to connect the console to the host.

* Open the <code>System Tools</code> / <code>Shared Folders</code> / <code>Shares</code> menu entry.


:[[Image:Computer_Management_Shares.png]]
:[[Image:Computer_Management_Shares.png]]


* Right-click to the share name, choose „Properties“ .


* Go to the „Share Permissions“ tab. Here you can configure who can access the share and the appropriate permissions.


:[[Image:Demo_Share_Permissions.png]]


* Right-click to the share and select <code>Properties</code>.
* Go to the „Security“ tab, click the „Edit“ button and configure the filesystem permissions.

* Select the <code>Share Permissions</code> tab and check the share permissions, you need to see just <code>Everyone</code>. For example:
:[[Image:share.png]]

{{Imbox
| type = important
| text = If the permissions are as above, do not change anything, if not, change it to just allow <code>Everyone</code> : <code>Full Control, Change and Read</code>. You only make changes to the <code>Security</code> tab.
}}

: Samba stores the share tab permissions in the <code>/usr/local/samba/var/locks/share_info.tdb</code> database.




* Select the <code>Security</code> tab.

* Click the <code>Edit</code> button and set the file system ACLs on the share's root directory. For example:


:[[Image:Demo_Share_Security.png]]
:[[Image:Demo_Share_Security.png]]


: For details about using the <code>SYSTEM</code> account on a Samba share see [[The SYSTEM Account]].
* Save the changes by closing the windows with „OK“.


: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].


* Click the <code>Add</code> button.


* Click <code>Advanced</code> button


* Click <code>Find Now</code>


* Select a user or group from the list, <code>Domain Users</code> for instance.
= Change permissions on folders of a share =


* Click <code>OK</code>
* Log on to a Windows machine as Domain Administrator.


* Click <code>OK</code>
* Navigate to the folder of which you want to change the permissions.


* Select permissions to grant, <code>Full control</code> for instance.
* Right-click to the folder and choose „Properties“.


* A windows security box should open, asking if you want to continue, Click <code>Yes</code>
* Go to the „Security“ tab and click the „Edit“ button.


* If you check the list of <code>Group or user names</code>, you should find <code>Domain Users</code> listed
* Change the permissions to your needs.

* Click <code>OK</code> to close the <code>Permissions for Demo</code> window.

* Click <code>OK</code> to store the updated settings.

For further details about configuring share permissions and ACLs, see the Windows documentation.





= Setting ACLs on a Folder =

To set file system permissions on a folder located on a share that uses extended access control lists (ACL):

* Log on to a Windows host using an account that has <code>Full control</code> on the folder you want to modify the file system ACLs.

* Navigate to the folder.

* Right-click to the folder and select <code>Properties</code>.

* Select the <code>Security</code> tab and click the <code>Edit</code> button.

* Set the permission. For example:


:[[Image:Folder_Permissions.png]]
:[[Image:Folder_Permissions.png]]


: For details about using the <code>SYSTEM</code> account on a Samba share see [[The SYSTEM Account]].
* Save the changes by closing the windows with „OK“.

: For details where the ACLs are stored, see [[#File_System_ACLs_in_the_Back_End|File System ACLs in the Back End]].

* Click <code>OK</code> to close the <code>Permissions for Folder</code> window.

* Click <code>OK</code> to store the updated settings.

For further details about setting ACLs, see the Windows documentation.





= File System ACLs in the Back End =

Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute. For example:

* To list the extended ACLs of the <code>/srv/samba/Demo/</code> directory, enter:

# getfacl /srv/samba/Demo/
# file: srv/samba/Demo/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::---

* To list the <code>security.NTACL</code> extended attribute of the <code>/srv/samba/Demo/</code> directory, enter:

# getfattr -n security.NTACL -d /srv/samba/Demo/
# file: srv/samba/Demo/
security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA

The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:

{| class="wikitable"
!Principal
!Permissions
!Applies to
|-
|Domain Users (SAMDOM\Domain Users)
|Modify, Read & execute, List folder contents, Read, Write
|(This folder, subfolders and files)
|-
|Unix Admins (SAMDOM\Unix Admins)
|Full control
|(This folder, subfolders and files)
|}

* To get the ACL in a more readable form, enter:

# samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
# O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f01ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)






= Troubleshooting =


For troubleshooting, see:
* [[Troubleshooting_Samba_Domain_Members|Troubleshooting Samba Domain Members]]
* [[Samba_AD_DC_Troubleshooting|Samba AD DC Troubleshooting]]




= Related documentation =


The following documentation treat topics, related on setting up file shares with special permissions or purposes:


* [[Setting_up_a_home_share|Setting up a home share]]


----
* [[Samba_%26_Windows_Profiles|Samba and Windows Profiles]]
[[Category:Active Directory]]
[[Category:Domain Members]]
[[Category:File Serving]]
[[Category:NT4 Domains]]

Latest revision as of 09:00, 1 February 2024

Introduction

Extended access control lists (ACL) enable you to set permissions on shares, files, and directories using Windows ACLs and applications. Samba supports shares using extended ACLs on:

  • Domain members
  • Active Directory (AD) domain controllers (DC)
  • NT4 primary domain controller (PDC)
  • NT4 backup domain controllers (BDC)
  • Standalone hosts



Preparing the Host

You need to set up Samba before you are able to create a share. Depending on what type of Samba server you require, see:


File System Support

The file system, the share will be created on, must support:

  • user and system xattr name spaces.
  • extended access control lists (ACL).

For further details, see File system support.


Samba Extended ACL Support

To create a share with extended access control list (ACL) support, the smbd service must have been built with ACL support enabled. A Samba host working as an Active Directory (AD) domain controller (DC), is always enabled with extended ACL support.

To verify if Samba has been built with ACL support, enter:

# smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL

If no output is displayed:



Enable Extended ACL Support on a Unix domain member

Ideally you have a system that supports NFS4 ACLs. The following example is for systems like Linux, where you don't have those kind of ACLs. To configure shares using extended access control lists (ACL) on a Unix domain member, you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file:

vfs objects = acl_xattr
map acl inherit = yes
# the next line is only required on Samba versions less than 4.9.0
store dos attributes = yes

Alternatively, to enable extended ACL support only for a specific share, add the parameters to the share's section.

For further details about the parameters, see the smb.conf(5) man page.



Granting the SeDiskOperatorPrivilege Privilege

Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure share permissions.


If you are using the 'ad' winbind idmap backend, then you should use the 'Unix Admins' group you were advised to create above. However, if you use any other winbind idmap backend (autorid or rid, for instance), then you can use the 'Domain Admins' group.


To grant the privilege to the Domain Admins group, enter:

# net rpc rights grant "SAMDOM\Domain Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.


To grant the privilege to the Unix Admins group, enter:

# net rpc rights grant "SAMDOM\Unix Admins" SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter SAMDOM\administrator's password:
Successfully granted rights.


To list all users and groups having the SeDiskOperatorPrivilege privilege granted, enter:

# net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator"
Enter administrator's password:
SeDiskOperatorPrivilege:
  BUILTIN\Administrators
  SAMDOM\Unix Admins



Adding a Share

To share the /srv/samba/Demo/ directory using the Demo share name:

  • As the root user, create the directory:
# mkdir -p /srv/samba/Demo/
  • To enable accounts other than the domain user Administrator to set permissions on Windows, grant Full control (rwx) to the user or group you granted the SeDiskOperatorPrivilege privilege. For example (if using the 'ad' backend):
# chown root:"Unix Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/
  • Otherwise for any other backend:
# chown root:"Domain Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/
  • Add the [Demo] share definition to your smb.conf file:
[Demo]
       path = /srv/samba/Demo/
       read only = no
Further share-specific settings and file system permissions are set using the Windows utilities.





  • Reload the Samba configuration:
# smbcontrol all reload-config

Setting Share Permissions and ACLs

When you configure a share with extended access control lists (ACL) support, you set the share permissions using Windows utilities instead of adding parameters to the share section in the smb.conf file.

To set permissions and ACLs on the Demo share:

  • Log on to a Windows host using an account that has the SeDiskOperatorPrivilege privilege granted. e.g. SAMDOM\Administrator or SAMDOM\john where john is a member of Unix Admins.
  • Click Start, enter Computer Management, and start the application.
  • Select Action / Connect to another computer.
  • Enter the name of the Samba host and click OK to connect the console to the host.
  • Open the System Tools / Shared Folders / Shares menu entry.
Computer Management Shares.png



  • Right-click to the share and select Properties.
  • Select the Share Permissions tab and check the share permissions, you need to see just Everyone. For example:
Share.png
Samba stores the share tab permissions in the /usr/local/samba/var/locks/share_info.tdb database.



  • Select the Security tab.
  • Click the Edit button and set the file system ACLs on the share's root directory. For example:
Demo Share Security.png
For details about using the SYSTEM account on a Samba share see The SYSTEM Account.
For details where the ACLs are stored, see File System ACLs in the Back End.
  • Click the Add button.
  • Click Advanced button
  • Click Find Now
  • Select a user or group from the list, Domain Users for instance.
  • Click OK
  • Click OK
  • Select permissions to grant, Full control for instance.
  • A windows security box should open, asking if you want to continue, Click Yes
  • If you check the list of Group or user names, you should find Domain Users listed
  • Click OK to close the Permissions for Demo window.
  • Click OK to store the updated settings.

For further details about configuring share permissions and ACLs, see the Windows documentation.



Setting ACLs on a Folder

To set file system permissions on a folder located on a share that uses extended access control lists (ACL):

  • Log on to a Windows host using an account that has Full control on the folder you want to modify the file system ACLs.
  • Navigate to the folder.
  • Right-click to the folder and select Properties.
  • Select the Security tab and click the Edit button.
  • Set the permission. For example:
Folder Permissions.png
For details about using the SYSTEM account on a Samba share see The SYSTEM Account.
For details where the ACLs are stored, see File System ACLs in the Back End.
  • Click OK to close the Permissions for Folder window.
  • Click OK to store the updated settings.

For further details about setting ACLs, see the Windows documentation.



File System ACLs in the Back End

Samba stores the file system permissions in extended file system access control lists (ACL) and in an extended attribute. For example:

  • To list the extended ACLs of the /srv/samba/Demo/ directory, enter:
# getfacl /srv/samba/Demo/
# file: srv/samba/Demo/
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::---
  • To list the security.NTACL extended attribute of the /srv/samba/Demo/ directory, enter:
# getfattr -n security.NTACL -d /srv/samba/Demo/
# file: srv/samba/Demo/
security.NTACL=0sBAAEAAAAAgAEAAIAAQC4zK0lHchKFvwXwbPR/h8P8sXMj5dNIT5QQuWsYwO3RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcG9zaXhfYWNsAEbGxuGu39MBuiZRk2pYxeL5ZWc4au0ikqRAk53MkjVd2b4quyk2WwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABJy0AAAA0AAAAAAAAADsAAAAAQUAAAAAAAUVAAAASSVmaZneO8cxOHk/9AEAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAACAMQABwAAAAALFACpABIAAQEAAAAAAAEAAAAAAAAUAAAAEAABAQAAAAAAAQAAAAAACxQA/wEfAAEBAAAAAAADAAAAAAALFACpABIAAQEAAAAAAAMBAAAAAAMkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAAAkAP8BHwABBQAAAAAABRUAAABJJWZpmd47xzE4eT/0AQAAAAMkAL8BEwABBQAAAAAABRUAAABJJWZpmd47xzE4eT8BAgAA

The previous example of file system ACLs and the extended attribute is mapped to the following Windows ACLs:

Principal Permissions Applies to
Domain Users (SAMDOM\Domain Users) Modify, Read & execute, List folder contents, Read, Write (This folder, subfolders and files)
Unix Admins (SAMDOM\Unix Admins) Full control (This folder, subfolders and files)
  • To get the ACL in a more readable form, enter:
# samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl
# O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f01ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO)



Troubleshooting

For troubleshooting, see: