Setting up a Share Using Windows ACLs

From SambaWiki
Revision as of 11:51, 3 November 2013 by Mmuehlfeld (talk | contribs) (Add section with related HowTos to cross link to interesting articles)


Samba allows you, since version 4, to do the most of share configuration via windows. Expecially the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The The following Howto will give you an overview, how to manage shares.

Preparatory work

Filesystem support

To use the advanced features of Samba, it has to be compiled with ACL support (e. g. RHEL requires the libacl-devel to be installed, when compiling). Also you need a filesystem that supports the "user" and "system" xattr namespaces. It also needs to have ACL and XATTR support.

XFS automatically supports ACLs. If you are using either ext3 or ext4 for your file system, you will need to include the options "user_xattr" and "acl" in your /etc/fstab entries. Example:

/dev/sda3     /srv/samba/Demo     ext4      user_xattr,acl      1 1

ACL support on member server

The following is only required on Domain Member Servers and not on Domain Controllers!

  • Add the following to your [global] section of your smb.conf:
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes
This options are required on Member Servers, to enable the possibility for real windows ACLs. On Domain Controllers, ACL support is automatically enabled.


  • To configure share permissions, you need an account with „SeDiskOperatorPrivilege“. To grant this privilege, e. g. to the „Domain Admin“ group, run the following command on your server:
# net rpc rights grant 'SAMDOM\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
Existing privileges you can reviewed by
# net rpc rights list accounts -Uadministrator

Adding a new share

  • Create a folder that you want to share
# mkdir -p /srv/samba/Demo/
  • Add a new share to your smb.conf:
     path = /srv/samba/Demo/
     read only = no
  • Reload Samba:
# smbcontrol all reload-config

Setup share permissions

  • Log on to a Windows machine using an account, to which the „SeDiskOperatorPrivilege“ was granted to or an account in a group with granted privilege.
  • Open the Start Menu and search for „Computer Management“.
  • In the menu bar go to „Action“ / „Connect to another computer“.
  • Enter the name of your Samba server, you've create the new share on.
  • Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the new added share.
Computer Management Shares.png
  • Right-click to the share name, choose „Properties“ .
  • Go to the „Share Permissions“ tab. Here you can configure who can access the share and the appropriate permissions.
Demo Share Permissions.png
  • Go to the „Security“ tab, click the „Edit“ button and configure the filesystem permissions.
Demo Share Security.png
  • Save the changes by closing the windows with „OK“.

Change permissions on folders of a share

  • Log on to a Windows machine as Domain Administrator.
  • Navigate to the folder of which you want to change the permissions.
  • Right-click to the folder and choose „Properties“.
  • Go to the „Security“ tab and click the „Edit“ button.
  • Change the permissions to your needs.
Folder Permissions.png
  • Save the changes by closing the windows with „OK“.

Related HowTos

The following HowTos treat topics, related on setting up file shares with special permissions or purposes: