deprecated "profile acls" for 4.7

Stefan Metzmacher metze at
Tue Jun 13 10:44:07 UTC 2017


as "profile acls = yes" doesn't work anymore with modern clients
(and I also don't understand why it was added with the current behaviour
at all), I'd like to deprecate the option and later remove the feature,
If needed it needs to be readded as vfs module again, but only
if someone is able to explain it to me:-)

Please review and push:-)

-------------- next part --------------
From f602d55c64cb3dcc91cc9ded3ad6b0fa744f8ad8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at>
Date: Tue, 13 Jun 2017 11:59:30 +0200
Subject: [PATCH 1/2] docs-xml/smbdotconf: deprecated "profile acls"

This doesn't work anymore with modern clients,
and there're better ways to support profiles on a share.

Typically something like this seems to work:

  comment = Users profiles New
  path = /data/winprofiles/
  browseable = No
  read only = No
  csc policy = disable
  store dos attributes = yes
  vfs objects = acl_xattr

With chmod 1777 on /data/winprofiles/

In order to work around some locking problems, see

It's also useful to something like this in the global
section in order to detect disconnects reliable:


Signed-off-by: Stefan Metzmacher <metze at>
 docs-xml/smbdotconf/protocol/profileacls.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs-xml/smbdotconf/protocol/profileacls.xml b/docs-xml/smbdotconf/protocol/profileacls.xml
index ade906c..a660c52 100644
--- a/docs-xml/smbdotconf/protocol/profileacls.xml
+++ b/docs-xml/smbdotconf/protocol/profileacls.xml
@@ -1,9 +1,22 @@
 <samba:parameter name="profile acls"
+                 deprecated="1"
+	As most system support support posix acls and extended attributes
+	today. The "acl_xattr" vfs module should be used instead of
+	using <smbconfoption name="profile acls">yes</smbconfoption>.
+	Using an vfs module that provides nfs4 acls may also work.
+	</para>
+	<para>
+	With modern clients (as of 2017) it's not possible to
+	use <smbconfoption name="profile acls">yes</smbconfoption> anymore.
+	</para>
+	<para>
 	This boolean parameter was added to fix the problems that people have been
 	having with storing user profiles on Samba shares from Windows 2000 or
 	Windows XP clients. New versions of Windows 2000 or Windows XP service
@@ -40,6 +53,9 @@
 	On other shares, it might cause incorrect file ownerships.
+	<para>
+	This parameter is deprecated with Samba 4.7 and will be removed in future versions.
+	</para>
 <value type="default">no</value>

From 5a94b318c883631834e37db169075a007584ea6f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at>
Date: Tue, 13 Jun 2017 11:59:30 +0200
Subject: [PATCH 2/2] WHATSNEW: deprecated "profile acls"

Signed-off-by: Stefan Metzmacher <metze at>
 WHATSNEW.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8548e16..1a36e88 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -103,6 +103,7 @@ smb.conf changes
   auth event notification       New parameter           no
   auth methods                  Deprecated
   map untrusted to domain       Deprecated
+  profile acls                  Deprecated
   strict sync                   Default changed         yes
 Removal of lpcfg_register_defaults_hook()

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list