Home / server / Questions / 212000
In Process
fabian
Asked: 2010-12-14 04:24:35 +0800 CST

Can Samba support full Windows-ACLs?

  • 772

I've set up a Samba 3 host with AD integration and an ACL enabled filesystem. Using a windows client I can set users and groups permissions.

Up to now, Samba just maps to POSIX ACL's rwx permissions, which prevents me from using "Modify" or "Full Control" permissions on Windows. I also read a few things about xattrs and ZFS ACL support.

Can someone give a hint on what is the best way to go beyond POSIX ACLs to completely resemble Windows ACEs?

active-directory samba access-control-list file-permissions posix

3 Answers

  1. This is how I've always done it, not quite sure where I read this.

    In order to have most of windows ACL options on your Samba shares connected to AD you need to enable both POSIX ACLs and XATTRS:

    /dev/sda2       /samba              ext3    user_xattr,acl  1   2

    And in your smb.conf you need to enable idmapping, nt acls and attribute mapping like this:

    idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = idmap_rid:<domain_netbios_name>=16777216-33554431

nt acl support = yes
inherit acls = yes

map acl inherit = yes 
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
inherit permissions = yes

    Then all you need to do is define administrator user for the share, and with that user edit security settings from Windows. 

    [public]
path = /share/Public
public = yes
writable = yes
printable = no
admin users = "DOMAIN\user"

    The only problems could be related to existing ACLs (you "disown" root and transfer ownership to your Windows user) and unmapped user groups.

    To map groups manually you need to be doing something like this:

    net groupmap delete ntgroup="Domain Admins"
net groupmap delete ntgroup="Domain Users"
net groupmap delete ntgroup="Domain Guests"

net groupmap add ntgroup="Domain Admins" rid=512 unixgroup=root
net groupmap add ntgroup="Domain Users" rid=513 unixgroup=users 
net groupmap add ntgroup="Domain Guests" rid=514 unixgroup=nobody

    for builtin security groups.

    And then for all your groups:

    groupadd mygroup
net groupmap delete ntgroup="mygroup"   
net groupmap add ntgroup="DOMAIN\mygroup" rid=1000  unixgroup=mygroup   type=d
    • 7

  2. If you don't need POSIX ACLs on files to be actually usable (for example, when users can't login to your Samba controller locally), you can have full NT ACLs using vfs:

    [global]
  store dos attributes = yes
[share]
  vfs objects = acl_xattr
    • 4

  3. You will need to do two things.

    First, your filesystem must support ACLs. Here is an example of a line in an fstab file that enables ACL, yours will of course be different:

    /dev/mapper/VolGroup00-SambaVol /samba ext3 defaults,acl 0 0

    Once you have done that (and remounted or rebooted) you will want to enable nt acl in your smb.conf file: 

    [share1]
   path = /samba/share1
   nt acl support = yes
   writeable = yes

    Once you have done both and have restarted samba you should have proper ACLs.

    • 1