A customer needed a simple File Server, without AD and all it’s complexity. A plain simple File Server. Of course, I choose Samba(as I write this, 4.5.8-Debian).
But, there is always a but, I wanted to manage ACLs(Permissions) using Windows GUI.
Here is a simple how-to on how to accomplish that straightforward. I’m using Debian Stretch.
First things first, install packages:
$ sudo apt install acl attr samba smbclient samba-vfs-modules
This will install samba and ACL and Extended attributes, needed by Windows ACls.
Next, we need to configure samba,
# Global parameters
workgroup = YOUR-WORKGROUP-NAME
security = USER
server role = standalone server
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
map to guest = Bad User
passdb backend = tdbsam
# Disable Usershares
usershare path =
# Disable Printing
disable spoolss = Yes
load printers = No
printcap name = /dev/null
printing = bsd
# Name Resolution
dns proxy = No
name resolve order = host
disable netbios = no
# Enable Windows ACLs
store dos attributes = Yes
map acl inherit = Yes
vfs objects = acl_xattr
# Shares parameters
path = /srv/samba/MyShare
read only = No
In this example, the shares are located at
/srv/samba/, which looks like:
drwxrws--- 2 root it 4.0K Oct 6 10:40 MyShare
chmod 2770 MyShare as stated in the samba wiki:
Setting the SGID bit (2770) automatically inherits the directory’s group to all new files and directories created, instead setting it to the user’s primary group.
After that, we need to add the users to samba:
smbpasswd -a USERNAME, where USERNAME is the user you want to add to samba.
For users that you want to allow changing permissions in Windows, run:
net rpc rights grant "USERNAME" SeDiskOperatorPrivilege -U "root"
If you want to map a group:
net groupmap add ntgroup="NT_GROUP_NAME" unixgroup=UNIX_GROUP_NAME type=d -U root
To list samba users:
pdbedit -w -L
To access a share from command line:
smbclient -U USERNAME //SMB/MyShare
Hope it helps!