Samba Ignoring POSIX ACLs
Solution 1:
Coming late to this question, I'd still like to point to the official Samba documentation for support of ACLs. This is valid for Samba 4.0.0 onwards, which certainly was not available at the time this question got asked. But since the question pops up in search engines, this link might be helpful.
The basic steps are:
1. Ensure the file system supports acls (ext4 nowadays does by default, no need for extra mount options)
2. Ensure Samba was compiled with ACL support. (Yes, by default on Ubuntu 14.04 LTS):
smbd -b | grep HAVE_LIBACL
3.
Enable ACL by setting the following in the [global]
section of /etc/samba/smb.conf
:
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
For details really visit the official docs as linked to above.
Solution 2:
That's because force user
, force group
, create mask
and directory mask
enforce use of tradidional unix style permissions which can't be combined with inheriting ACLs.
Your default ACLs must reside on filesystem-level of the folder not on the samba share itself for inheritance to work but be aware that contradictory permissions will always deny access eg. when a user has permission as user but not as group samba will disallow access when using ACLs (which seems to me like a bug) eg: the user nobody is member of nogroup then ACLs needs to allow nobody & nogroup write permission otherwise write access is denied. Only samba behaves this way!
A possible way to create a folder with inheriting default permissions could be:
me@myHost:/shares$ getfacl myShare/
# file: myShare/
# owner: JohnDoe
# group: domain\040users
user::rwx
group::rwx #effective:r-x
group:domain\040users:rwx #effective:r-x
group:domain\040admins:rwx #effective:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:domain\040users:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x
The section with the default:*
values is the interesting part for inheritance because any new file or folder will get these when created inside the myShare folder. See setfacls man page for details of setting default: values on a file or folder. Now the problem with using create mask
or directory mask
on a folder with default:ACLs set is that samba will then override these default values and in most cases these mask statements are only useful as long as you want the whole folder and it's files containing only a single owner and group. ACLs are harder to configure but offer much more flexibility as usual on windows machines.
For samba to honor these default:*::
permissions inherit acls
needs to be set in [global]
section:
[global]
; Important if ACLs (eg: setfacl) contain default entries
; which samba honors only if this is set to 'yes'.
inherit acls = yes
[...]
[myShare]
comment = Put your files here
path = /shares/myShare
writeable = yes
This would allow a share where everyone can write to the share ... but (!) that doesn't mean necessarily that it's allowed on filesystem-level because the myShare folder just allows domain users. Anyway for the paranoid the share permissions can be narrowed by allowing only specific groups:
write list = @"domain users"
which implicates writeable=yes
but only for groups defined in write list. Ensure that permissions on share and on folder are free of contradictions eg:
write list = @"other group"
would allow other group to write to the share but since myShare folders allows only domain users to write it would fail obviously.