Can you remove ntacls from the command line?

Matthieu Patou mat at
Sat Nov 20 03:30:05 MST 2010

Hi Mike,

"allaboutmike" <mike at> a écrit :

>I have some permissions problems and I would like to start from
>scratch. Is
>there a way I can remove all (windows) permissions on my folders from
>command line? They don't seem to have any extended attributes:
>bcmain samba # getfattr -d /data/accounts
>bcmain samba #
>However Samba thinks they have plenty of acl info if I am reading this
>bcmain samba # ./bin/samba-tool acl nt get --xattr-backend=native
>file: struct xattr_NTACL
>    version                  : 0x0001 (1)
>    info                     : union xattr_NTACL_Info(case 1)
>    sd                       : *
>        sd: struct security_descriptor
>          revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
>            type                     : 0x8004 (32772)
>                   0: SEC_DESC_OWNER_DEFAULTED
>                   0: SEC_DESC_GROUP_DEFAULTED
>                   1: SEC_DESC_DACL_PRESENT
>                   0: SEC_DESC_DACL_DEFAULTED
>                   0: SEC_DESC_SACL_PRESENT
>                   0: SEC_DESC_SACL_DEFAULTED
>                   0: SEC_DESC_DACL_TRUSTED
>Is there a way I can do this?
Try getfattr -d -m "" as we store the acls in a system.NTACLS and it's 
not shown by default:

mat at ares:/usr/local/src/samba4/source4$ getfattr -d 

mat at ares:/usr/local/src/samba4/source4$ getfattr -d -m "" 
getfattr: Removing leading '/' from absolute path names
# file: tmp/toto/sysvol/

Then I leave up to you to read the man page of setfattr on how to remove 
the extended attribute!

Matthieu Patou
Samba Team
Private repo;a=summary

More information about the samba-technical mailing list