[Samba] Samba ACL and '+' on a 'ls - l'

Arnold.O.Andrews at seagate.com Arnold.O.Andrews at seagate.com
Thu Jul 28 13:52:41 GMT 2005 

> Dear Guys,
>
> I have noticed that one of our domain users folder in
> /var/lib/samba/profiles has a '+' on the end  of their username folder
> and all the files in their profile too.
>
> I know this is to do with ACL's and I know Samba can translate Windows
> ACL's to filesystem acls, but where can I find out where/how they are
> getting created and remove them.
>
> They should be know different then anyone else.
>
> Although, all the users are setup as Admins on their own computer, but
> noone else seems to be picking up or have a '+' sign on a 'ls -l'
>

I can only speak for what the commands to handle ACL's are for Solaris;
"getfacl" (to see what the current settings on a file or directory are, and
"setfacl" (to set ACL settings).

If those aren't the same commands used on your Samba server's OS to handle
ACL settings, try using "apropos acl" to see a list of man pages regarding
acl's.

Anyway, I recently found myself wanting to remove ACL settings acquired
from granting permissions through windows myself.  I found that I had to
use "setfacl" to replace the ACL entries and reset them to standard type
entries in order to lose the "+" sign (signifying that there are additional
ACL entries on a file).

Setting the permissions on a file or directory with "chmod" alone is not
enough to clear the ACLs.

Example:  I have a file that has ACL's set:

% ls -l acl_test
-rw-r--r--+  1 user1    usergroup         0 Jul 28 08:31 acl_test

% getfacl acl_test

# file: acl_test
# owner: user1
# group: DGROUP
user::rw-
user:user2:rwx                #effective:rwx
group::r--              #effective:r--
mask:rwx
other:r--

( In the example above, the ACL's shown grant "user2" full access to the
file, even though user2 is not the owner.

Clearing the permissions from the file does not (completely) remove the ACL
setting.

% chmod 000 acl_test
% ls -l acl_test
----------+  1 user1    usergroup         0 Jul 28 08:31 acl_test

To get rid of the "+" sign altogether, use setfacl with the -s option to
reset the permission:

% setfacl -s u::rw-,g::r--,o:r-- acl_test
% ls -l acl_test
-rw-r--r--   1 user1    usergroup         0 Jul 28 08:31 acl_test


As you can see, the ACL's have been replaced by default entries (as if
chmod was the only thing that ever touched it).

Hope that helps.

Regards,

Arnold Andrews
Sr. Systems Administrator
Seagate Technology

More information about the samba mailing list