setfacl for multiple users with individual folder permissions in a single share

Posted on 2007-10-09
Last Modified: 2013-12-16
I have a Samba server integrated into active directory and acl installed.  The samba server works with active directory authentication it's the ACL and linux permissions I'm struggling with.

Here's the relevant Samba share definition, along with linux permissions and ACL listings


comment = Home Shares

path = /data/home

read only = No

create mask = 0770

directory mask = 0770

browsable = Yes

public = Yes

writeable = Yes

force create mode = 0770

force directory mode = 0770

force security mode = 0770

guest ok = no

inherit permissions = yes

nt acl support = yes

The problem I am having is with a share and the proper security to allow users to see the folder contents of /data/home but not be allowed into any one else's directory, only their own subdirectory.

/data/home contains 3 user subdirectories as such


/data/home needs (if possible) to be viewable by users
/data/home needs not allow anyone to write anything in this directory, only their own sub dir
each user to have rwx to their own /data/home/user directory

Here's what I have for permissions that almost work:
root@samba# ls -l /data
drwxrwx---+ 13 root root  4096 2007-10-09 09:50 home

root@samba# ls -l /data/home
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:15 user1
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:16 user2
drwxrwxr-x+ 2 root root 4096 2007-10-09 09:18 user3

root@samba# getfacl /data/home/

# file: home

# owner: root

# group: root







root@samba# getfacl /data/home/user1
# file: user1
# owner: root

# group: root







This setup allows the domain administrator in Windows to browse the "Home" share but no one else can browse it or access the directories assigned to them beneath it.  Here is the getfacl for the sub-directories but I think that the problem is with the /data/home security.

Any ideas what I am doing wrong or any suggestions how I can start over and create the proper linux group and user permissions, chmod and ACL?
Question by:avatech
    LVL 39

    Expert Comment

    On /home I would expect you need the protection to set to user:DOMAIN\Users:r-x

    The x allows users to access & pass the directory, the r allows them to make a listing.
    And you probably want the mask also to be r-x to prevent writable directories by default. (but that's
    more about personal taste).
    LVL 4

    Author Comment

    That is a correct summary.  What is the syntax to change the mask for setfacl the man page and docs I've found for it is a bit cumbersome.  I've worked out how to assign the user and group permissions ok and I figured that hte mask rwx sounds like my problem.
    LVL 16

    Accepted Solution

    Granting an additional user read access
                  setfacl -m u:lisa:r file

           Revoking write access from all groups and all named users (using the effective rights mask)
                  setfacl -m m::rx file

           Removing a named group entry from a files ACL
                  setfacl -x g:staff file

           Copying the ACL of one file to another
                  getfacl file1 | setfacl --set-file=- file2

           Copying the access ACL into the Default ACL
                  getfacl --access dir | setfacl -d -M- dir
    LVL 16

    Expert Comment


    You may want to issue:

    setfacl -m u:DOMAIN\User1:rx
    LVL 39

    Expert Comment

    Well xDamox  answered the followup.
    LVL 19

    Assisted Solution

    I think you are looking at ACLs when you only need standard unix permissions for what you want.

    just change this
    force create mode = 0770
    force directory mode = 0770
    force security mode = 0770

    to this
    force create mode = 0700
    force directory mode = 0700
    force security mode = 0700

    and make owner
    root:root /home permissions 755
    user1:root /data/home/user1 permissions 700
    user2:root /data/home/user2 permissions 700
    user3:root /data/home/user3 permissions 700

    and that's it.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now