Problem Set ACL Samba Share NS8

Support
1

Hi i problem to set ACL to a Samba Shared Folder in NS8.
In the WebUI:

image
image927×375 17.3 KB

The group “test” has full control, but the user member of that group can’t delete file or folder we receive “Access Denied” if i do this command:
image
image940×222 27.6 KB

The group test of the domain “test.com” has “FULL CONTROL” and in fact i can delete the folder but only in the current directory and not in sub-directories, as you can see in the screenshoot below:
image
image939×227 25.5 KB

Here we don’t have the FULL control on this sub-directories as you can see.
Reading the man page of the command “smbcalcs” for add ACL in the folder,subfolder the command should be this but it not working:

smbcacls //192.168.0.5/Archivio / -U test.com\\Administrator -a "ACL:TEST\\test:ALLOWED/OI|CI|I/FULL"
2

The double backslash isn’t needed in the ACL. This one worked in my test:

smbcacls //192.168.3.144/testfolder /testfolder2 -U ns8test\\Administrator -a "ACL:NS8TEST\marketing:ALLOWED/OI|CI|I/FULL"
3

Hi @mrmarkuz i make a typo…yes the right syntax is this one:

smbcacls //IP_Address_Server/Shared_Folder_Name / -U test.com\\Administrator -a
"ACL:TEST\test:ALLOWED/OI|CI|I/FULL"

But the problem is that the command set the ACL only for the new folder/file and not replace the existing one as you can see on the screenshot below:

2025-04-24_08-07
2025-04-24_08-071651×534 64.8 KB

And i found this one on another forum:

At present, smbcacls lacks the ability the recursively set permissions through a file tree. If you don’t have a windows PC available to configure permissions when setting up your CIFS shares, you can use smbcacls to add the required access control entries prior to copying data.

I think the only solution is using a windows client or the command “icacls”

4

You could use getfacl and setfacl, see also Setting up a Share Using Windows ACLs - SambaWiki

Enter environment:

runagent -m samba1

Enter container:

podman exec -ti samba-dc bash

Example to get ACLs

getfacl /srv/shares/myshare

setfacl allows to recursively set ACLs, see also https://linux.die.net/man/1/getfacl

5

I use the command to get the ACLs on the “Archivio” Shared Folder but i dont see the group of the AD Domain i see only these permission:

image
image513×201 4.57 KB

6

I deploy a W11vm and join the samba DC Domain, and change the permission from Explorer.
Thanks.

1 Like
7

Only shares migrated from NS7 still use Posix ACLs.

However setfacl can’t work with NS8 shares because they do not use Posix ACLs any more. Instead, NS8 shares store Windows ACLs in a dedicated extended attribute.

1 Like