Setup and configure file shares
Samba allows you, since version 4, to do most share configuration via windows. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following Howto will give you an overview of how to manage shares.
To use the advanced features of Samba, it has to be compiled with ACL support. Also you need a filesystem that supports the “user” and “system” xattr namespaces. It also needs to have ACL and XATTR support.
You can see Samba4 File System support to complete the requirements.
The following is only required on Domain Member Servers and not on Domain Controllers! Add the following to your [global] section of your smb.conf if you don't did this early:
vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes
This options are required on Member Servers, to enable the possibility for real windows ACLs. On Domain Controllers, ACL support is automatically enabled.
To configure share permissions, you need an account with “SeDiskOperatorPrivilege”. To see existing privileges can be reviewed by:
# net rpc rights list accounts -U'YOURDOMAIN\administrator'
In case the 'administrator' account don't have this privilege, you can grant this privilege, e. g. to the “Domain Admin” group, run the following command on your server:
# net rpc rights grant 'YOURDOMAIN\Domain Admins' SeDiskOperatorPrivilege -U'YOURDOMAIN\administrator'
# mkdir -p /srv/samba/Demo/
[Demo] path = /srv/samba/Demo/ read only = no
# smbcontrol all reload-config
First you need to have access to your domain user administrator (or your currently domain user) in file system:
chown -R administrator:'domain users' /srv/samba/Demo
To see extended ACLs:
# cd /srv && getfacl samba/Demo # file: samba/Demo/ # owner: cbustillo # group: domain\040users user::rwx group::r-x other::r-x
To set extended ACLs for others users:
# setfacl -R -m default:other::r-x ServicePacks/
To remove all extended ACLs:
# setfacl -b /srv/samba/Demo # setfacl -b /srv/samba/Demo/*
More info about extended ACLs in:
# man setfacl # man getfacl
In certain situations, share configuration parameters which were commonly used with NT-style domains such as “force group” or “force user” may lead to “Access Denied” errors when trying to set permissions on a new share, or other complications, such as losing the ability to even see the Security tab. You may find even after correcting the issues that the problems may persist even after removing and re-adding the share properly. In such cases, it may be helpful to manually wipe out all ACLs on the share and recursively re-grant full control to the Domain Admins group with the setfacl command as follows (may need to run as root):
# setfacl -b /path/to/share # setfacl -b /path/to/share/* # setfacl -R -m default:group:domain\ admins:rwx /path/to/share