Samba allows you, since version 4, to do most share configuration via windows. In particular, the permission management with real Windows ACLs and multiple entries is much easier when done on Windows. The following Howto will give you an overview of how to manage shares.

To use the advanced features of Samba, it has to be compiled with ACL support. Also you need a filesystem that supports the “user” and “system” xattr namespaces. It also needs to have ACL and XATTR support.

You can see Samba4 File System support to complete the requirements.

The following is only required on Domain Member Servers and not on Domain Controllers! Add the following to your [global] section of your smb.conf:

 vfs objects = acl_xattr
 map acl inherit = Yes
 store dos attributes = Yes

This options are required on Member Servers, to enable the possibility for real windows ACLs. On Domain Controllers, ACL support is automatically enabled.

To configure share permissions, you need an account with “SeDiskOperatorPrivilege”. To see if 'administrator' account have this privilege:

 # net rpc rights list accounts -Uadministrator

In case the 'administrator' account don't have this privilege, you can grant this privilege, e. g. to the “Domain Admin” group, run the following command on your server:

 # net rpc rights grant 'YOURDOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator

• Create a folder that you want to share

 # mkdir -p /srv/samba/test/

• Add a new share to your smb.conf:

 [test]
     path = /srv/samba/test/
     read only = no

• Reload Samba:

 # smbcontrol all reload-config

• Log on to a Windows machine using an account, to which the “SeDiskOperatorPrivilege” was granted to or an account in a group with granted privilege.
• Open the Start Menu and search for “Computer Management”.
• In the menu bar go to “Action” → “Connect to another computer”.
• Enter the name of your Samba server, you've create the new share on.
• Navigate to “System Tools” → “Shared Folders” → “Shares” and select the new added share.

• Right-click to the share name, choose “Properties”.
• Go to the “Share Permissions” tab. Here you can configure who can access the share and the appropriate permissions.

• Go to the “Security” tab, click the „Edit“ button and configure the file system permissions.

• Save the changes by closing the windows with “OK”.

• Log on to a Windows machine as Domain Administrator.
• Navigate to the folder of which you want to change the permissions.
• Right-click to the folder and choose “Properties”.
• Go to the “Security” tab and click the “Edit” button.
• Change the permissions to your needs.

• Save the changes by closing the windows with “OK”.

The following HowTos treat topics, related on setting up file shares with special permissions or purposes:

• Setting up a home share
• Samba and Windows Profiles