Folder ACL permissions of samba shares not visible under Windows

Posted on 2010-01-11
Medium Priority
Last Modified: 2013-12-09
From Windows systems permissions for directories of samba share are not listed in the Properties window (as in the attached pic) only if the permissions were set from  Windows, not using setfacl command from Ubuntu. Permissions for the files are displayed correctly. Is there any setting that should be enabled to make permissions visible from Windows too? Everything is working fine, but permissions for folders cannot be overviewed from Windows. Any help is welcome, thank you!

The acl related settings in smb.conf are:
#### acl settings ######
   acl compatibility = win2k
   nt acl support = yes
   inherit permissions = yes
   inherit acls = yes
   map acl inherit = yes
Question by:szentannai
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 27

Expert Comment

by:Jason Watkins
ID: 26293790
I am quite sure that the ability to set ACL entries from a Windows machine to a SMB share on a Linux server is not possible.  The security databases between the two do not synchronize that type of data.
LVL 20

Expert Comment

by:Daniel McAllister
ID: 26294109
I am equally sure that Firebar is incorrect...

Samba can handle ACLs just fine, and they can map to Microsoft ACLs just fine -- just don't expect the exact "granularity" of control you can have on Windows (NTFS) servers.

In your case, szentannai, I would be interested to see the outputs of the following command-line tools:
  net groupmap list

My suspicions are that the Domain Admins group isn't mapped correctly in the Samba system... a common mistake with several common causes:
 a) admins assume group names will map, and so create a "domainadmins" account and expect Samba to just "figure it out"
 b) admins assume Samba STILL creates an automatic mapping of NT "Domain Admins" to Linux "admins"
 c) admins assume that the NT "Domain Admins" GID (512) will magically map to the Linux group GID 512 (whatever its name).

In fact, NONE of those assumptions are valid. If the "net groupmap list" output doesn't include a line for Domain Admins, try the following command:
   net groupmap add ntgroup="Domain Admins" unixgroup="admins" rid=512 type=d

Repeat for the following NT groups with the associated GIDs:
512 = "Domain Admins"
513 = "Domain Users"
514 = "Domain Guests"
515 = "Domain Computers"
516 = "Domain Controllers"
517 = "Domain Certificate Admins"
518 = "Domain Schema Admins"
519 = "Domain Enterprise Admins"
520 = "Domain Policy Admins"

NOTE: While you CAN use the same unixgroup for multiple ntgroup names, it is not recommended (for example, you could re-use admins for "Domain Admins", "Domain Certificate Admins", "Domain Schema Admins", and "Domain Enterprise Admins" -- but it is better to just create separate groups for each.

I have attached a script that will aotomatically create and map unix groupnames to nt groupnames... use at your own discretion.

Good Luck!

#! /bin/bash
# SetSambaDomainGroups.sh
# Author:  Dan McAllister (IT4SOHO)
# Date:    2003-Jan-23
# Mod Date:2008-Apr-16 (add extended nt domain group lists)
# Use: run with no arguments as the root user (or with a properly configured sudo)
# Assumptions: 
#   Must be run as ROOT user (group ID creation requires root permission)
#   Group names are pre-defined and hard-coded in the script (this is not required)
#   Group numbers are pre-defined and hard-coded in the script (this is not required)
# Check for root user running this program
if [ "$UID" != "0" ] ; then
  echo $0 : FATAL : Program MUST be run as the ROOT user 1>&2
  exit 1
# Setup & populate Arrays
MSNAME=(        "Domain Admins" \
                "Domain Users" \
                "Domain Guests" \
                "Domain Computers" \
                "Domain Controllers" \
                "Domain Certificate Admins" \
                "Domain Schema Admins" \
                "Domain Enterprise Admins" \
                "Domain Policy Admins" \
MSRID=( 512 513 514 515 516 517 518 519 520 )
LINID=(         "domadmins"      "domusers" \
                "domguests"      "domcomputers" \
                "domcontrollers" "domcertadmins" \
                "domschemaadmins" "domentadmins" \
# Check Variables (all 3 arrays should have the same number of elements
if [ ${#MSNAME[*]} != ${#MSRID[*]} ] ; then
  echo Mismatched Variable Lists ... fix MSNAME or MSRID in $0
  exit 1
elif [ ${#MSNAME[*]} != ${#LINID[*]} ] ; then
  echo Mismatched Variable Lists ... fix MSNAME or LINID in $0
  exit 1
# Loop through variables
while [ "${INDEX}" -lt "${ARRAYLEN}" ] ; do
  # Check for presence of Mapping ALREADY present
  if net groupmap list ntgroup="${MSNAME[${INDEX}]}" > /dev/null 2>&1 ; then
    net groupmap list ntgroup="${MSNAME[${INDEX}]}"
  # Check for presence of LINID already
  if ! grep "${LINID[${INDEX}]}" /etc/group > /dev/null 2>&1 ; then
    echo -n Creating Linux Group ${LINID[${INDEX}]}
    if groupadd -g ${MSRID[${INDEX}]} ${LINID[${INDEX}]} > /dev/null 2>&1 ; then
      echo \ with ID ${MSRID[${INDEX}]} '(normal)'
    elif groupadd ${LINID[${INDEX}]} > /dev/null 2>&1 ; then
      GID=`grep "^${LINID[${INDEX}]}:" /etc/group | awk -F: '{print $3}'`
      echo \ with ID $GID '(generated)'
  if [ "$DOMAP" != 0 ] ; then
    echo Mapping Windows ${MSNAME[${INDEX}]} to Linux ${LINID[${INDEX}]}
    net groupmap add ntgroup="${MSNAME[${INDEX}]}" unixgroup="${LINID[${INDEX}]}" rid=${MSRID[${INDEX}]} type=d > /dev/null 2>&1
    if [ $? -ne 0 ] ; then
      echo OOPS! Error mapping Windows ${MSNAME[${INDEX}]} to Linux ${LINID[${INDEX}]}
  INDEX=`expr $INDEX + 1`

Open in new window

LVL 27

Expert Comment

by:Jason Watkins
ID: 26296083
No mention was made that the Samba server was a domain controller. Just going on the information provided...
LVL 20

Expert Comment

by:Daniel McAllister
ID: 26296368
Another common mis-conception -- and it brings up something LACKING in my post:

1) The group mappings should be there regardless -- even if you're not a DC, just an AD member (which is all Samba can do 'til 4 comes out)

2) If you're a member of a Microsoft domain, you're going to need to make sure that NOT just smbd and nmbd are running, but also winbindd!

Most distributions' startup scripts & installers will auto-config and auto-start smbd & nmbd (the "traditional" samba daemons.... but as a member of an AD domain, you MUST also be running the winbindd daemon!

Use the following command to see if it is running:
  pgrep -l winbindd

If the response is empty (no lines), start winbindd manually with
  winbindd -D
and fix your startup program (probably by editing the file at /etc/init.d/smb or /etc/init.d/samba)

If it is already running, the maps I setup above should provide the final "key"

Best of luck!


PS: I believe an explanation may be in order:

the groupmaps FORCE an association between unix and nt domain group names... this is generally desired for admin groups (so Win admins can have file access admin rights on the Unix system file shares)

the winbindd EXTENDS the Unix users and groups to include the domain users & groups. Under the covers, a large block of Unix UIDs & GIDs are reserved for winbindd use, and then whenever a user or group accesses the file shares, Samba creates (on the fly) a UID or GID and automagically associates (maps) it to the domain UID or GID. NOTE: this can be problematic with clustered storage arrays, and so some thought about the underlying mechanics needs to be undertaken in more "advanced" installations.

Accepted Solution

szentannai earned 0 total points
ID: 26322968
Thank you for assistance, in the group mapping we already used the same GIDs as in Windows, in the meantime we found out that if the default ACL is not set for the directory and it's not the same with the explicit ACL then the Windows will not display the ACL permissions for users/groups on that directory.
As conclusion, if you want to see the ACL permissions for directories of a samba share from Windows too, when you set an acl permission from Linux, don't forget to set the default permission too with the same rights.
P.S. Thank you Dan for your kindness!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the past decade, as Internet security has become a chief concern of IT professionals, one of the most common questions administrators and users ask is, “Which is more secure, SFTP or FTPS?” In short, both file transfer protocols offer a high…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question