Samba – Can Samba support full Windows-ACLs

access-control-listactive-directoryfile-permissionsposixsamba

I've set up a Samba 3 host with AD integration and an ACL enabled filesystem. Using a windows client I can set users and groups permissions.

Up to now, Samba just maps to POSIX ACL's rwx permissions, which prevents me from using "Modify" or "Full Control" permissions on Windows. I also read a few things about xattrs and ZFS ACL support.

Can someone give a hint on what is the best way to go beyond POSIX ACLs to completely resemble Windows ACEs?

Best Answer

This is how I've always done it, not quite sure where I read this.

In order to have most of windows ACL options on your Samba shares connected to AD you need to enable both POSIX ACLs and XATTRS:

/dev/sda2       /samba              ext3    user_xattr,acl  1   2

And in your smb.conf you need to enable idmapping, nt acls and attribute mapping like this:

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = idmap_rid:<domain_netbios_name>=16777216-33554431

nt acl support = yes
inherit acls = yes

map acl inherit = yes 
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
inherit permissions = yes

Then all you need to do is define administrator user for the share, and with that user edit security settings from Windows.

[public]
path = /share/Public
public = yes
writable = yes
printable = no
admin users = "DOMAIN\user"

The only problems could be related to existing ACLs (you "disown" root and transfer ownership to your Windows user) and unmapped user groups.

To map groups manually you need to be doing something like this:

net groupmap delete ntgroup="Domain Admins"
net groupmap delete ntgroup="Domain Users"
net groupmap delete ntgroup="Domain Guests"

net groupmap add ntgroup="Domain Admins" rid=512 unixgroup=root
net groupmap add ntgroup="Domain Users" rid=513 unixgroup=users 
net groupmap add ntgroup="Domain Guests" rid=514 unixgroup=nobody

for builtin security groups.

And then for all your groups:

groupadd mygroup
net groupmap delete ntgroup="mygroup"   
net groupmap add ntgroup="DOMAIN\mygroup" rid=1000  unixgroup=mygroup   type=d

Related Solutions

Linux – Mac OS X clients cannot see extended ACLs through samba or netatalk on a debian server

Try this workaround:

Add

acl check permissions = no

to [global] because of how Darwin ACLs are closer to Windows ACLs instead of POSIX ACLs.

Sources:

ZFS – use pure ACLs to force group write permissions to be inherited

I use something like below for my passwordless, NAS storage. I'm not well versed on all the fine-grained permissions so it's probably overkill on owner/group perms and underkill on everyone, but here it is:

setfacl -m owner@:full_set:fd:allow /zfs/raid1/storage
setfacl -m group@:full_set:fd:allow /zfs/raid1/storage
setfacl -m everyone@:rx:fd:allow /zfs/raid1/storage

It's on FreeBSD, so ZFS's NFSv4 ACLs are built into setfacl. I think they can also be in nfs4_setfacl and chmod on some OSes. I'm very new to ACLs and even newer to FreeBSD, as well, so this all may make sysadmins cry. It also acts as chmod 2774 and sets new files'/directories' groups to the dataset's group.

Edit to clarify a bit: /zfs/raid1 is the actual ZFS mount, storage is a dataset within it.

Best Answer

Related Solutions

Linux – Mac OS X clients cannot see extended ACLs through samba or netatalk on a debian server

ZFS – use pure ACLs to force group write permissions to be inherited

Related Topic