I've set up a Samba 3 host with AD integration and an ACL enabled filesystem. Using a windows client I can set users and groups permissions.
Up to now, Samba just maps to POSIX ACL's rwx permissions, which prevents me from using "Modify" or "Full Control" permissions on Windows. I also read a few things about xattrs and ZFS ACL support.
Can someone give a hint on what is the best way to go beyond POSIX ACLs to completely resemble Windows ACEs?
Best Answer
This is how I've always done it, not quite sure where I read this.
In order to have most of windows ACL options on your Samba shares connected to AD you need to enable both POSIX ACLs and XATTRS:
And in your smb.conf you need to enable idmapping, nt acls and attribute mapping like this:
Then all you need to do is define administrator user for the share, and with that user edit security settings from Windows.
The only problems could be related to existing ACLs (you "disown" root and transfer ownership to your Windows user) and unmapped user groups.
To map groups manually you need to be doing something like this:
for builtin security groups.
And then for all your groups: