Samba Windows ACL not working

Question

I want to configure Samba to manage Windows ACL and manage them from Windows via the security tab. The Samba server is standalone and not part of an AD tree; i already followed various offical and unofficial guides but nothing seems to work.

The machine runs on a Debian 12 LXC on ZFS, the ZFS mountpoints do support ACL:

$ mount | grep acl
rpool/data/subvol-107-disk-0 on / type zfs (rw,noatime,xattr,posixacl)
rpool/data/subvol-107-disk-1 on /data/share1 type zfs (rw,noatime,xattr,posixacl)

I did create a ZFS pool for each share, in this example is /data/share1.

Samba is version 4.17.9-Debian

The folder ACLs are already set:

$ ls -lah /data/share1/
total 12K
drwxrwxr-x+ 3 administrator administrator 3 Jul 24 13:13 .
drwxr-xr-x  3 root          root          3 Jul 24 11:09 ..
drwxrwxr-x+ 2 administrator administrator 2 Jul 24 11:59 test

$ getfacl /data/share1/
getfacl: Removing leading '/' from absolute path names
# file: data/share1/
# owner: administrator
# group: administrator
user::rwx
user:administrator:rwx
group::r-x
mask::rwx
other::r-x

I already configured the smb.conf appropriately:

[global]
        workgroup = CMC
        username map = /etc/samba/users.map
        server string = file-server

        log level = 5
        log file = /var/log/samba/log.%m
        max log size = 1000
        logging = file
        panic action = /usr/share/samba/panic-action %d


        server role = standalone server
        obey pam restrictions = yes
        map to guest = bad user


        acl allow execute always = yes

[homes]
        comment = Home Directories
        browseable = no
        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = yes


[share1]

        path = /data/share1/test
        guest ok = no
        comment = Cartella di test smb
        read only = no
        browseable = yes
        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = no

        store dos attributes = yes
        inherit acls = yes

From my tests if i use this configuration for the share:

        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = yes

i get nothing from the Window security tab:

If i insted use linuxacl with this configuration:

        map acl inherit = yes
        vfs objects = acl_xattr
        acl_xattr:ignore system acls = no

        store dos attributes = yes
        inherit acls = yes

i get more feedback in the windows security tab

but it keeps giving me access denied if i try to edit ACLs from there.

You're likely missing idmapping, this [question](https://serverfault.com/a/291994/604280) may help you — Nicolas Formichella, Jul 24 '23 at 15:52
idmapping is necessary even without an Active Directory domain?!? — Plokko, Jul 24 '23 at 17:27
I may have found the cause: i need nfsv4 support on the filesystem otherwise i cannot save advanced ACLs, they may work but some permission will be trimmed — Plokko, Jul 31 '23 at 08:39

Samba Windows ACL not working

0 Answers0