Samba4 share cant change ACL of subdirectories with windows 7


(Axel Urbanski) #1

NethServer Version: 73.1611 all updates including 5th july 2017
Module: Samba 4 fileserver and AD


can not change the ACLs of a sub directory with windows 7 (ultimate 64bit). The ACLs from webconfig are there and new directory use them. so getfacl and windows explore are okay.
teh changes wil be lost (or ignored) somtime windows tells user had no rigth to chane the rigth and users.

if i change the rigths and userse via web the new sub dir had this ACL. I think filesystem and samba knows ACLs. The Windows7 PC is AD member and user is the AD admin.

Same problem with a fresh installation.

it sound like this bug but from the windows7 side.

did anyone had a idea?

thx axel

my file server smb.conf

# 10base
workgroup = SBS
server string = NethServer 7.3.1611 Final (Samba %v)
security = ADS
kerberos method = secrets and keytab
netbios name = NETH

# test reg support
include = registry


# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50

# Only bind to allowed NIC's
bind interfaces only = yes
interfaces =
hosts allow =

# Idle time before disconnecting the client
deadtime = 10080

# Alias NETBIOS names, used to provide access to Samba via multiple hostnames

netbios aliases = 

; WINS setup (other server)
wins server = 
remote announce = 
remote browse sync = 

 ; Guest access (#1882). Shares must be guest-ok, to allow it.
 map to guest = Bad User

 ; create home dirs if missing (#5090)
 obey pam restrictions = yes
 # SambaAudit configuration
 full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
 full_audit:success = read write open unlink mkdir rmdir rename chmod 
 full_audit:failure = read write open unlink mkdir rmdir rename chmod  
 full_audit:facility = LOCAL7
 full_audit:priority = INFO

 printing = cups
 printcap name = cups

 comment = All Printers
 path = /var/spool/samba
 browseable = no
 guest ok = no
 writable = no
 printable = yes
 use client driver = yes
 ; Home directories
 comment = Home directories
 browseable = no
 writable = yes
 create mode = 0660
 force create mode = 0660
 directory mode = 0770
 force directory mode = 0770

 ; Added to support printer drivers download
 ; This share is writable according to Unix file permissions
 comment = Printer drivers
 path = /var/lib/nethserver/print_driver
 guest ok = yes
 browseable = yes
 writable = no

comment = roaming 
browsable = no
path = /data/profiles
read only = no
store dos attributes = yes 
create mask = 0600
directory mask = 0700
profile acls = yes 
csc policy = disable 

# 10base -- ibay neth-alle definition. 
#           Required profile is ""
#           Applied profile is "default"
path = /var/lib/nethserver/ibay/neth-alle
comment = für alle angemeldeten user
# 20profile_default:
read only            = no
inherit permissions  = yes
; Add group write bit to default create mask, remove DOS archive bit (see below) #2039
create mask          = 0664 
inherit owner        = yes
; Use extended attribute to store DOS attributes (see man page)
 store dos attributes = yes  
 map archive          = no
 map readonly         = no
 inherit acls         = yes
 map acl inherit      = yes
 guest ok             = no
 browseable           = yes

 # 90vfs_output
 vfs objects = recycle
   recycle: exclude_dir = /tmp,/temp,/cache
   recycle: repository = Recycle Bin
   recycle: versions = True
   recycle: keeptree = True
   recycle: touch = True
   recycle: directory_mode = 0770
   recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*

(Michael Träumner) #2

Let’s ask @davidep too for this problem.

(Axel Urbanski) #3

thx Michael

(Davide Principi) #4

Confirmed, ACL cannot be changed from windows clients ATM.

However see also this topic:

(Axel Urbanski) #5

Hello David

sounds good! It will be in testing first ? Or will you make a update ?
It was a hard job to change all the ACLs by hand with setfacl command

thx axel

(Davide Principi) #6

It’s not on my list, by now. If Kerberos auth is good for your environment and it does not require NTLM at all, it’s safe to apply the suggested workaround by hand.

(Axel Urbanski) #7

hello David
i will try it :-). But 4 an smal biz server its better when its run form fresh installing. with NTLM its 2 far from easy using.

On my side the differents between NTLM and Kerberos from AD-/fileserver is not clear.

(Davide Principi) #8

Both NTLM an Kerberos provide authentication methods. In short

The Microsoft Kerberos security package adds greater security than NTLM to systems on a network.

AFAIK Kerberos is not available on Windows Home edition. Moreover, NTLM is still widely used by many network appliances (scanner/printers, nas…). For this reason the current approach is to have NTLM enabled and set ACLs from server manager, or by setfacl command.

(Axel Urbanski) #9

THX a lot. I am spending 4 days tor try it with NTLM. can be helpfull to include it 2 the documatation.

(NZs) #10

Try this:

create a new file like this:

;acl support
vfs object = acl_xattr

then reconfigure and restart samba:
config setprop smb Libwbclient sssd
signal-event nethserver-samba-update

Can not connect with Samba shares after restore
(NZs) #11

and if you use audit, you have to this too:

$OUT = “”;
$ibay_vfs->{acl_xattr} = “”;