Samba Standalone + Windows ACLs on Debian Stretch

A customer needed a simple File Server, without AD and all it’s complexity. A plain simple File Server. Of course, I choose Samba(as I write this, 4.5.8-Debian).

But, there is always a but, I wanted to manage ACLs(Permissions) using Windows GUI.

Here is a simple how-to on how to accomplish that straightforward. I’m using Debian Stretch.

First things first, install packages:

$ sudo apt install acl attr samba smbclient samba-vfs-modules

This will install samba and ACL and Extended attributes, needed by Windows ACls.

Next, we need to configure samba, /etc/samba/smb.conf:

# Global parameters
     workgroup = YOUR-WORKGROUP-NAME
     security = USER
     server role = standalone server

     log file = /var/log/samba/log.%m
     max log size = 1000
     panic action = /usr/share/samba/panic-action %d

     map to guest = Bad User
     passdb backend = tdbsam

     # Disable Usershares
     usershare path =

     # Disable Printing
     disable spoolss = Yes
     load printers = No
     printcap name = /dev/null
     printing = bsd

     # Name Resolution
     dns proxy = No
     name resolve order = host
     disable netbios = no

     # Enable Windows ACLs
     store dos attributes = Yes
     map acl inherit = Yes
     vfs objects = acl_xattr

# Shares parameters
     path = /srv/samba/MyShare
     read only = No

In this example, the shares are located at /src/samba/, which looks like:

drwxrws--- 2 root it 4.0K Oct 6 10:40 MyShare

I chmod 2770 MyShare as stated in the samba wiki:

Setting the SGID bit (2770) automatically inherits the directory’s group to all new files and directories created, instead setting it to the user’s primary group.

After that, we need to add the users to samba:

smbpasswd -a USERNAME, where USERNAME is the user you want to add to samba.

For users that you want to allow changing permissions in Windows, run:

net rpc rights grant "USERNAME" SeDiskOperatorPrivilege -U "root"

If you want to map a group:

net groupmap add ntgroup="NT_GROUP_NAME" unixgroup=UNIX_GROUP_NAME type=d -U root

To list samba users:

pdbedit -w -L

To access a share from command line:

smbclient -U USERNAME //SMB/MyShare

Hope it helps!