jra at samba.org
Mon Jul 30 23:34:50 UTC 2018
On Mon, Jul 30, 2018 at 09:01:57PM +0100, Rowland Penny via samba-technical wrote:
> In 'man vfs_acl_xattr' under 'OPTIONS' there is this:
> acl_xattr:ignore system acls = [yes|no]
> When set to yes, a best effort mapping from/to the POSIX ACL layer
> will not be done by this module. The default is no, which means
> that Samba keeps setting and evaluating both the system ACLs and
> the NT ACLs. This is better if you need your system ACLs be set for
> local or NFS file access, too. If you only access the data via
> Samba you might set this to yes to achieve better NT ACL
> By my reading, this means by default, Samba will reset 'security.NTACL'
> if the ACL's are changed (with setfacl for instance) or if you change
> the EA with setfattr etc the ACL's will be reset. However, if
> 'acl_xattr:ignore system acls = yes' is set, should this mean that the
> ACL's are not changed if the EA is changed ?
Yes, the code shows that if "ignore_system_acls = yes" then
validate_nt_acl_blob() merely returns the security.NTACL
blob read from the filesystem and ignore the underlying
filesystem ACL store (be it POSIX or anything else).
More information about the samba-technical