After setting up a Samba AD domain on a (RHEL-compatible) Linux box, I wanted to create a few shares so that the users could access some common files for install, etc. Everything was going well until I wanted to change the security of one of the shares (to make it read-only for Authenticated Users and writable for Administrators). I could bring up the Properties of the share but as soon as I went to the Security tab, explorer.exe would crash and restart. Hmmmmm, what was going on?

 

Turns out the extended attributes on the share were incorrect (in my case, not even set initially). To fix it,  do the following:

 

Retrieve the ACL from a 'good' share (for example, the one below is already set correctly by the sama-tool domain provisioning)

samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/SAMDOM/script

where SAMDOM is your domain name. Check in /etc/samba/smb.conf if you can't remember it. It's the lower-case version of the realm setting, in the [global] section. Also change the path appropriately for your install of Samba (i.e. where the sysvol folder and other standard/important Samba AD folders and files are located).

 

This will produce output something along the lines of:

O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)

 

Then copy that SDDL string into the following command and apply it to the share (full path) that needs the ACL set:

samba-tool ntacl set "O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)" /lan/share

 

Also check the correct chmod permissions on the full path folder are 0770:

chmod 0770 /lan/share

 

Then try accessing the Security tab in Windows File Explorer of the share.

Voila!

 

Also check out this Samba wiki article for more good info on setting up share security access: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

 

Incidentally, I use the Samba repo from Tranquil IT (samba.tranquil.it) for my samba rpm packages. That way you get the FULL samba experience and not just Redhat's 'version' of it!  See more info at doc.tranquil.it. (n.b. it is in French so hopefully your browser will offer to translate for you)