红帽全球峰会1.9. Setting up a share that uses Windows ACLs
Samba supports setting Windows ACLs on shares and file system object.
This feature enables you to:
- Use the fine-granular Windows ACLs
- Manage share permissions and file system ACLs using Windows
Alternatively, you can configure a share to use POSIX ACLs. For details, see Setting up a Samba file share that uses POSIX ACLs.
Parts of this section were adopted from the Setting up a Share Using Windows ACLs documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
1.9.1. Granting the SeDiskOperatorPrivilege privilege
Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure permissions on shares that use Windows ACLs.
Procedure
For example, to grant the
SeDiskOperatorPrivilegeprivilege to theDOMAIN\Domain Adminsgroup:# net rpc rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege -U "DOMAIN\administrator" Enter DOMAIN\administrator's password: Successfully granted rights.注意In a domain environment, grant
SeDiskOperatorPrivilegeto a domain group. This enables you to centrally manage the privilege by updating a user’s group membership.To list all users and groups having
SeDiskOperatorPrivilegegranted:# net rpc rights list privileges SeDiskOperatorPrivilege -U "DOMAIN\administrator" Enter administrator's password: SeDiskOperatorPrivilege: BUILTIN\Administrators DOMAIN\Domain Admins
1.9.2. Enabling Windows ACL support
To configure shares that support Windows ACLs, you must enable this feature in Samba.
Prerequisites
- A user share is configured on the Samba server.
Procedure
To enable it globally for all shares, add the following settings to the
[global]section of the/etc/samba/smb.conffile:vfs objects = acl_xattr map acl inherit = yes store dos attributes = yesAlternatively, you can enable Windows ACL support for individual shares, by adding the same parameters to a share’s section instead.
Restart the
smbservice:# systemctl restart smb
1.9.3. Adding a share that uses Windows ACLs
You can create a share named example that shares the content of the /srv/samba/example/ directory and uses Windows ACLs.
Procedure
Create the folder if it does not exist. For example:
# mkdir -p /srv/samba/example/If you run SELinux in
enforcingmode, set thesamba_share_tcontext on the directory:# semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?" # restorecon -Rv /srv/samba/example/Add the example share to the
/etc/samba/smb.conffile. For example, to add the share write-enabled:[example] path = /srv/samba/example/ read only = no注意Regardless of the file system ACLs; if you do not set
read only = no, Samba shares the directory in read-only mode.If you have not enabled Windows ACL support in the
[global]section for all shares, add the following parameters to the[example]section to enable this feature for this share:vfs objects = acl_xattr map acl inherit = yes store dos attributes = yesVerify the
/etc/samba/smb.conffile:# testparmOpen the required ports and reload the firewall configuration using the
firewall-cmdutility:# firewall-cmd --permanent --add-service=samba # firewall-cmd --reloadRestart the
smbservice:# systemctl restart smb
To manage share permissions and file system ACLs on a Samba share that uses Windows ACLs, use a Windows applications, such as Computer Management. For details, see the Windows documentation. Alternatively, use the smbcacls utility to manage ACLs.
To modify the file system permissions from Windows, you must use an account that has the SeDiskOperatorPrivilege privilege granted.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}