How mode bits are stored in NFS/NTFS/CIFS/SMB3 ACLs

Ralph Böhme rb at
Thu Sep 25 04:08:58 MDT 2014

On Thu, Sep 25, 2014 at 01:04:37AM -0500, Steve French wrote:
> Did some experiments today to see how mode bits are stored by the
> Windows NFS server in the RichACL (CIFS or NFS ACL).   mounted nfsv4.1
> to Windows from Linux then created a bunch of files and did chmod of
> various combinations of 07777 bits (including sticky, setuid etc.)
> Windows NFS server is storing the user owner bits with SID
> S-1-5-88-1 and using SID S-15-88-2 for group owner and S-1-5-88-4 for
> the ACE for "other" (this is easy to spot over CIFS/SMB3 etc because
> user owner and group owner map to these SIDs in the security
> descriptor returned over the wire).
> As expected, for each of the 3 ACEs, it is setting "GENERIC_READ" in
> the ACE for '4' (read) and GENERIC_WRITE for '2' (write) and
> GENERIC_EXECUTE for '1' (execute).  What is puzzling is where it
> stores the setuid and sticky bits (bits 07000) because they are not
> visible in the CIFS/NTFS ACL.
> Interesting that Windows's ACL management tool "cacls" doesn't display
> the human readable names of the three special SIDs (even when run
> locally on NTFS) although does display the ACE associated with the sid
> with its raw SID.
> Trying it on a different server which also handles both NFS and
> CIFS/SMB3, the Mac, was also interesting.
> Strangely enough the Mac client didn't seem to recognize these ACEs (I
> thought they did) - and ls -l in Mac's bash always shows mode of 0700

It does, but only after negotiating it via capability flags in an
SMB2/CREAT context "AAPL".

I posted patches recently, they're still in the review process:


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen,

More information about the samba-technical mailing list