Folder ACL permissions of samba shares not visible under Windows

From Windows systems permissions for directories of samba share are not listed in the Properties window (as in the attached pic) only if the permissions were set from  Windows, not using setfacl command from Ubuntu. Permissions for the files are displayed correctly. Is there any setting that should be enabled to make permissions visible from Windows too? Everything is working fine, but permissions for folders cannot be overviewed from Windows. Any help is welcome, thank you!

The acl related settings in smb.conf are:
#### acl settings ######
   acl compatibility = win2k
   nt acl support = yes
   inherit permissions = yes
   inherit acls = yes
   map acl inherit = yes
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

szentannaiConnect With a Mentor Author Commented:
Thank you for assistance, in the group mapping we already used the same GIDs as in Windows, in the meantime we found out that if the default ACL is not set for the directory and it's not the same with the explicit ACL then the Windows will not display the ACL permissions for users/groups on that directory.
As conclusion, if you want to see the ACL permissions for directories of a samba share from Windows too, when you set an acl permission from Linux, don't forget to set the default permission too with the same rights.
P.S. Thank you Dan for your kindness!
Jason WatkinsIT Project LeaderCommented:
I am quite sure that the ability to set ACL entries from a Windows machine to a SMB share on a Linux server is not possible.  The security databases between the two do not synchronize that type of data.
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
I am equally sure that Firebar is incorrect...

Samba can handle ACLs just fine, and they can map to Microsoft ACLs just fine -- just don't expect the exact "granularity" of control you can have on Windows (NTFS) servers.

In your case, szentannai, I would be interested to see the outputs of the following command-line tools:
  net groupmap list

My suspicions are that the Domain Admins group isn't mapped correctly in the Samba system... a common mistake with several common causes:
 a) admins assume group names will map, and so create a "domainadmins" account and expect Samba to just "figure it out"
 b) admins assume Samba STILL creates an automatic mapping of NT "Domain Admins" to Linux "admins"
 c) admins assume that the NT "Domain Admins" GID (512) will magically map to the Linux group GID 512 (whatever its name).

In fact, NONE of those assumptions are valid. If the "net groupmap list" output doesn't include a line for Domain Admins, try the following command:
   net groupmap add ntgroup="Domain Admins" unixgroup="admins" rid=512 type=d

Repeat for the following NT groups with the associated GIDs:
512 = "Domain Admins"
513 = "Domain Users"
514 = "Domain Guests"
515 = "Domain Computers"
516 = "Domain Controllers"
517 = "Domain Certificate Admins"
518 = "Domain Schema Admins"
519 = "Domain Enterprise Admins"
520 = "Domain Policy Admins"

NOTE: While you CAN use the same unixgroup for multiple ntgroup names, it is not recommended (for example, you could re-use admins for "Domain Admins", "Domain Certificate Admins", "Domain Schema Admins", and "Domain Enterprise Admins" -- but it is better to just create separate groups for each.

I have attached a script that will aotomatically create and map unix groupnames to nt groupnames... use at your own discretion.

Good Luck!

#! /bin/bash
# Author:  Dan McAllister (IT4SOHO)
# Date:    2003-Jan-23
# Mod Date:2008-Apr-16 (add extended nt domain group lists)
# Use: run with no arguments as the root user (or with a properly configured sudo)
# Assumptions: 
#   Must be run as ROOT user (group ID creation requires root permission)
#   Group names are pre-defined and hard-coded in the script (this is not required)
#   Group numbers are pre-defined and hard-coded in the script (this is not required)
# Check for root user running this program
if [ "$UID" != "0" ] ; then
  echo $0 : FATAL : Program MUST be run as the ROOT user 1>&2
  exit 1
# Setup & populate Arrays
MSNAME=(        "Domain Admins" \
                "Domain Users" \
                "Domain Guests" \
                "Domain Computers" \
                "Domain Controllers" \
                "Domain Certificate Admins" \
                "Domain Schema Admins" \
                "Domain Enterprise Admins" \
                "Domain Policy Admins" \
MSRID=( 512 513 514 515 516 517 518 519 520 )
LINID=(         "domadmins"      "domusers" \
                "domguests"      "domcomputers" \
                "domcontrollers" "domcertadmins" \
                "domschemaadmins" "domentadmins" \
# Check Variables (all 3 arrays should have the same number of elements
if [ ${#MSNAME[*]} != ${#MSRID[*]} ] ; then
  echo Mismatched Variable Lists ... fix MSNAME or MSRID in $0
  exit 1
elif [ ${#MSNAME[*]} != ${#LINID[*]} ] ; then
  echo Mismatched Variable Lists ... fix MSNAME or LINID in $0
  exit 1
# Loop through variables
while [ "${INDEX}" -lt "${ARRAYLEN}" ] ; do
  # Check for presence of Mapping ALREADY present
  if net groupmap list ntgroup="${MSNAME[${INDEX}]}" > /dev/null 2>&1 ; then
    net groupmap list ntgroup="${MSNAME[${INDEX}]}"
  # Check for presence of LINID already
  if ! grep "${LINID[${INDEX}]}" /etc/group > /dev/null 2>&1 ; then
    echo -n Creating Linux Group ${LINID[${INDEX}]}
    if groupadd -g ${MSRID[${INDEX}]} ${LINID[${INDEX}]} > /dev/null 2>&1 ; then
      echo \ with ID ${MSRID[${INDEX}]} '(normal)'
    elif groupadd ${LINID[${INDEX}]} > /dev/null 2>&1 ; then
      GID=`grep "^${LINID[${INDEX}]}:" /etc/group | awk -F: '{print $3}'`
      echo \ with ID $GID '(generated)'
  if [ "$DOMAP" != 0 ] ; then
    echo Mapping Windows ${MSNAME[${INDEX}]} to Linux ${LINID[${INDEX}]}
    net groupmap add ntgroup="${MSNAME[${INDEX}]}" unixgroup="${LINID[${INDEX}]}" rid=${MSRID[${INDEX}]} type=d > /dev/null 2>&1
    if [ $? -ne 0 ] ; then
      echo OOPS! Error mapping Windows ${MSNAME[${INDEX}]} to Linux ${LINID[${INDEX}]}
  INDEX=`expr $INDEX + 1`

Open in new window

Jason WatkinsIT Project LeaderCommented:
No mention was made that the Samba server was a domain controller. Just going on the information provided...
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Another common mis-conception -- and it brings up something LACKING in my post:

1) The group mappings should be there regardless -- even if you're not a DC, just an AD member (which is all Samba can do 'til 4 comes out)

2) If you're a member of a Microsoft domain, you're going to need to make sure that NOT just smbd and nmbd are running, but also winbindd!

Most distributions' startup scripts & installers will auto-config and auto-start smbd & nmbd (the "traditional" samba daemons.... but as a member of an AD domain, you MUST also be running the winbindd daemon!

Use the following command to see if it is running:
  pgrep -l winbindd

If the response is empty (no lines), start winbindd manually with
  winbindd -D
and fix your startup program (probably by editing the file at /etc/init.d/smb or /etc/init.d/samba)

If it is already running, the maps I setup above should provide the final "key"

Best of luck!


PS: I believe an explanation may be in order:

the groupmaps FORCE an association between unix and nt domain group names... this is generally desired for admin groups (so Win admins can have file access admin rights on the Unix system file shares)

the winbindd EXTENDS the Unix users and groups to include the domain users & groups. Under the covers, a large block of Unix UIDs & GIDs are reserved for winbindd use, and then whenever a user or group accesses the file shares, Samba creates (on the fly) a UID or GID and automagically associates (maps) it to the domain UID or GID. NOTE: this can be problematic with clustered storage arrays, and so some thought about the underlying mechanics needs to be undertaken in more "advanced" installations.
All Courses

From novice to tech pro — start learning today.