Web lists-archives.com

Re: [Samba] Setting up a Share Using Windows ACLs

On 2017-04-24 01:44, Rowland Penny wrote:
On Sun, 23 Apr 2017 20:53:39 +1000
Henry via samba <samba@xxxxxxxxxxxxxxx> wrote:

root@aphrodite:~# getfacl -d /srv/samba/data/Testing
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/data/Testing
# owner: root
# group: domain\040admins

However in Windows I am still unable to edit the "Security"
permissions tab.
"You do not have permission to view or edit this object's permission

I am really at a loss here as I am unable to get a Samba share
working with Windows ACLs. Surely it cannot be this complex so what
am I missing. All I want is a Samba share that I can control the
permissions using Windows...

OK, sorry to be so long, but it turned out that I had a problem myself
and I had to fix it (amongst other things)

Right, if I run this:

ls -lad /srv/samba/Demo/

I get this:

drwxrwx---+ 3 root unix admins 4096 Apr 11 11:49 /srv/samba/Demo/

Note: I use 'Unix Admins' instead of 'Domain Admins', but it amounts to
the same thing.

getfacl gives this:

getfacl /srv/samba/Demo/
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/Demo/
# owner: root
# group: unix\040admins

and on windows:

Share permissions:

Everyone Full control
unix admins Full control
domain users Full control


root Full control
unix admins Full control
domain users Modify, Read & execute, List folder contents, Read, Write

One thing it doesn't say on the wiki page, when you grant the
SeDiskOperatorPrivilege, you have to do it on the machine that holds
the share.

So, make sure that Domain Admins, on the machine that holds the share,
has the SeDiskOperatorPrivilege. set the Unix permissions as I
suggested and then try again from 'Computer Management' on a domain
joined windows machine.

Make sure that you log in as a user that is a member of Domain Admins.

can you also test that the underlying OS knows Domain Admins with:

getent group Domain\ Admins

If you do not get any output, then this is part of your problem.


hi Rowland... one step forwards thank you.

I think I found my mistake. In Windows I was using a domain admins account other than administrator however only administrator has the SeDiskOperatorPrivilege. When I login to Windows as administrator it works. Now with my "testing" share I can do everything I need to ! I have now created a new share following this procedure and it works too :)

I have two existing shares that do not display the "Security" tab in Windows and I have double & triple checked everything in Samba. Does Windows/Samba cache the security settings or can I reset the security settings for these two shares and start again from scratch?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba