[Samba] Is it possible to clone an NT ACL from one file or dir to a totally different file or dir ?

Ken McDonald ken at generation.tech
Sun Mar 25 00:38:55 UTC 2018 

On 03/24/2018 08:20 PM, Ken McDonald via samba wrote:
> Can I use a command like this to clone an NT ACL?
>
> getfattr -n security.NTACL templateFile | sed -e 
> 's/templateFile/realFile/' | sudo setfattr --restore=-
>
> I can see that the attribute gets copied over but when I view the ACL 
> in Windows security tab it's not the same ACL, it's much bigger and 
> includes all kinds of default-like stuff. I'm trying to find a way to 
> update permissions on a mass amount of files without using the 
> existing Windows/Samba tools which take days to complete on large 
> datasets.
>
> Right now, I have this process, but it's not working and I don't 
> understand why.
>
> 1) Setup template example file or directory with the desired 
> permission structure (call it templateFile here)
>
> 2) Create or use an existing destination/target file or directory 
> (call it realFile here)
>
> 3) Remove all existing perms on realFile:
>
> setfacl -b realFile
>
> setfattr -x user.DOSATTRIB realFile
>
> sudo setfattr -x security.NTACL realFile
>
> 4) Clone the extended ACL:
>
> getfacl templateFile | sudo setfacl -bnM - realFile
>
> 5) Clone the DOS attributes
>
> getfattr -d templateFile | sed -e 's/templateFile\/realFile/' | 
> setfattr --restore=-
That had a typo when I shortened it to an example form. Should have been
5) Clone the DOS attributes
getfattr -d templateFile | sed -e 's/templateFile/realFile/' | setfattr 
--restore=-
>
> 6) Clone the NTACL
>
> getfattr -n security.NTACL templateFile | sed -e 
> 's/templateFile/realFile/' | sudo setfattr --restore=-
>
>
> By default, step 4 takes forever to run on large datasets because it 
> uses named entities. My ultimate plan was to use the numeric 
> user/group id's in that step instead of named ones so the Winbind cost 
> is not incurred. Seems for the whole process, the calls to Winbind to 
> resolve the named entity to it's numeric ID are the reason for the 
> slowdown. That's why, even when using the normal Windows security tab 
> or samba-tool, it takes days to update large datasets. I'm exploring 
> options around that issue.
>
>

More information about the samba mailing list