This page looks best with JavaScript enabled

Samba Share With Windows DC

 ·  ☕ 2 min read

Example 1

  • Create on Windows Server a Domain FROG.local
  • Create 2 Groups with some users

we want to create a samba share nas2 and give the following permissions:

Group namePermission
techRead
nerdRead Write

Linux machine has already been added to the domain (another post).
Here we’re talking only about permissions.

/etc/samba/smb.conf

[global]
  workgroup = FROG
  security = ADS
  realm = FROG.LOCAL

  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  acl_xattr:ignore system acl = yes
  store dos attributes = Yes

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  # user name not domain\name
  winbind use default domain = yes

  # -- testing - no production
  # winbind enum users = yes
  # winbind enum groups = yes

  # disable printer
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes

  idmap config rid
  idmap uid = 10000-200000
  idmap gid = 10000-200000
  template shell = /bin/bash
  create mask = 0770
  directory mask = 0770
  reset on zero vc = yes

  log file = /var/log/samba/samba.log
  log level = 2

[nas2]
	path=/nas2
	read only=false
	writable = yes
	read only = no
	force create mode = 0660
	create mask = 0777
	directory mask = 0777
	force directory mode = 0770
	access based share enum = yes
	hide unreadable = yes

getfacl and setfacl


rm -rf /nas2
mkdir /nas2

# - chown to group nerd
chown :"FROG\tech" /nas2
getfacl /nas2

# group: tech
group::r-x
other::r-x

# - set group TECH to Read only, other remove permissions
chmod -R g=rX,o= /nas2
getfacl /nas2

# group: tech
group::r-x
other::---

# - set NERD read write ACL
setfacl -R -m g:"FROG\nerd":rwX /nas2
getfacl /nas2

# group: tech
group::r-x
group:nerd:rwx
mask::rwx
other::---

# - set default ACL (default group Read, nerd ReadWrite)
setfacl -R -d -m g::rX,g:"FROG\nerd":rwX,o:- /nas2
getfacl /nas2

# group: tech
group::r-x
group:nerd:rwx
mask::rwx
other::---
default:group::r-x
default:group:nerd:rwx
default:mask::rwx
default:other::---

Example 2

Add more stuff.

  • create another group kungfu on Windows Server DC
  • kungfu can READ ONLY in /nas2 share except in a subfolder kung_can where can READ WRITE

cd /nas2

getfacl /nas2

setfacl -R -m g:"FROG\kungfu":rX /nas2
setfacl -R -d -m g:"FROG\kungfu":rX /nas2
getfacl /nas2

mkdir kung_can

getfacl /nas2/kung_can
setfacl -R -m g:"FROG\kungfu":rwX /nas2/kung_can
setfacl -R -d -m g:"FROG\kungfu":rwX /nas2/kung_can
getfacl /nas/kung_can

Definition Default ACL

Default ACLs can only be applied to directories. They determine the
permissions a file system object inherits from its parent directory when
it is created.

copyleft 2021, No Rights Reserved