A customer needed a simple File Server, without AD and all it’s complexity. A plain simple File Server. Of course, I choose Samba(as I write this, 4.5.8-Debian).
But, there is always a but, I wanted to manage ACLs(Permissions) using Windows GUI.
Here is a simple how-to on how to accomplish that straightforward. I’m using Debian Stretch.
First things first, install packages:
$ sudo apt install acl attr samba smbclient samba-vfs-modules
This will install samba and ACL and Extended attributes, needed by Windows ACls.
Next, we need to configure samba, /etc/samba/smb.conf
:
# Global parameters [global] workgroup = YOUR-WORKGROUP-NAME security = USER server role = standalone server log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d map to guest = Bad User passdb backend = tdbsam # Disable Usershares usershare path = # Disable Printing disable spoolss = Yes load printers = No printcap name = /dev/null printing = bsd # Name Resolution dns proxy = No name resolve order = host disable netbios = no # Enable Windows ACLs store dos attributes = Yes map acl inherit = Yes vfs objects = acl_xattr # Shares parameters [MyShare] path = /srv/samba/MyShare read only = No
In this example, the shares are located at /srv/samba/
, which looks like:
drwxrws--- 2 root it 4.0K Oct 6 10:40 MyShare
I chmod 2770 MyShare
as stated in the samba wiki:
Setting the SGID bit (2770) automatically inherits the directory’s group to all new files and directories created, instead setting it to the user’s primary group.
After that, we need to add the users to samba:
smbpasswd -a USERNAME
, where USERNAME is the user you want to add to samba.
For users that you want to allow changing permissions in Windows, run:
net rpc rights grant "USERNAME" SeDiskOperatorPrivilege -U "root"
If you want to map a group:
net groupmap add ntgroup="NT_GROUP_NAME" unixgroup=UNIX_GROUP_NAME type=d -U root
To list samba users:
pdbedit -w -L
To access a share from command line:
smbclient -U USERNAME //SMB/MyShare
Hope it helps!