When integrating Samba 3 with Active Directory, many administrators discover that native POSIX ACLs (rwx permissions) don't fully map to Windows' rich permission model. While basic read/write/execute permissions work fine, advanced Windows ACL features like:
- Modify permission (combining read+write+execute+delete)
- Full Control (including permission modification rights)
- Special permissions (traverse folder/execute file, delete subfolders/files)
...are either approximated or completely unavailable when using standard POSIX ACLs.
To achieve true Windows ACL compatibility, you need:
1. A filesystem supporting extended attributes (xattrs)
2. ZFS (with ACL support) or XFS (with xattr and ACL support)
3. Samba compiled with --with-acl-support
4. Proper smb.conf configurationHere's a minimal smb.conf configuration for ZFS:
[global]
workgroup = YOURDOMAIN
security = ads
realm = YOUR.REALM
idmap config * : backend = tdb
idmap config * : range = 3000-7999
winbind use default domain = yes
vfs objects = acl_xattr zfsacl
map acl inherit = yes
store dos attributes = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
[share]
path = /path/to/zfs/share
read only = no
nt acl support = yes
inherit acls = yesAfter restarting Samba, verify Windows ACL support with these commands:
# Check filesystem ACLs
getfacl /path/to/share
# Verify Samba is using correct VFS modules
smbstatus -v
# Test ACL inheritance
smbcacls //server/share folder -U administratorLet's create a PowerShell script to demonstrate proper permission assignment:
# PowerShell ACL script for Samba share
$sharePath = "\\sambaserver\share"
$user = "DOMAIN\testuser"
$acl = Get-Acl $sharePath
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
$user,
"Modify", # Full NTFS-style permission
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)
$acl.SetAccessRule($accessRule)
Set-Acl -Path $sharePath -AclObject $aclIf permissions don't work as expected:
- Verify ZFS ACL support:
zfs get aclmode yourpool/share - Check xattr support:
setfattr -n user.test -v testvalue /path/to/testfile - Ensure proper Samba VFS modules are loaded in debug output
- Test with
smbcaclsbefore using Windows Explorer
When integrating Samba 3 with Active Directory, many administrators hit a wall with permission granularity. While basic POSIX ACLs (rwx) work fine for simple cases, Windows environments often require finer-grained control like "Modify" or "Full Control" permissions that don't map cleanly to traditional Unix permissions.
To properly support Windows ACLs, your system needs:
- Filesystem supporting extended attributes (xattrs)
- Samba compiled with ACL support (--with-acl-support)
- Proper smb.conf configuration
- Kernel-level filesystem ACL support
For production systems, ZFS provides excellent Windows ACL support via its native ACL implementation. Here's a sample configuration:
# smb.conf excerpt [shared] path = /pool/share vfs objects = zfsacl nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes map acl inherit = yes
For non-ZFS filesystems, you can use xattr-based ACL storage:
# Required smb.conf parameters [global] vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Filesystem preparation chattr +a /shared_folder setfacl -R -b /shared_folder
The key to proper Windows ACL emulation lies in understanding these permission mappings:
| Windows Permission | POSIX Equivalent | Extended Attributes |
|---|---|---|
| Full Control | rwx | delete_child, write_attributes |
| Modify | rwx | append_data |
| Read & Execute | r-x | read_attributes |
When ACLs don't behave as expected:
- Verify filesystem mount options include 'acl'
- Check Samba logs for ACL conversion errors
- Test with smbcacls command-line tool
For complex environments, consider this enhanced setup:
# Advanced smb.conf ACL configuration [secured_share] path = /data/secure vfs objects = acl_xattr recycle inherit acls = yes inherit owner = yes nt acl support = yes map readonly = no store dos attributes = yes create mask = 0664 directory mask = 0775