Jeremy Allison jra at samba.org
Mon Jul 30 23:34:50 UTC 2018

On Mon, Jul 30, 2018 at 09:01:57PM +0100, Rowland Penny via samba-technical wrote:
> Hello,
> In 'man vfs_acl_xattr' under 'OPTIONS' there is this:
> acl_xattr:ignore system acls = [yes|no]
>     When set to yes, a best effort mapping from/to the POSIX ACL layer
>     will not be done by this module. The default is no, which means
>     that Samba keeps setting and evaluating both the system ACLs and
>     the NT ACLs. This is better if you need your system ACLs be set for
>     local or NFS file access, too. If you only access the data via
>     Samba you might set this to yes to achieve better NT ACL
>     compatibility.
> By my reading, this means by default, Samba will reset 'security.NTACL'
> if the ACL's are changed (with setfacl for instance) or if you change
> the EA with setfattr etc the ACL's will be reset. However, if
> 'acl_xattr:ignore system acls = yes' is set, should this mean that the
> ACL's are not changed if the EA is changed ? 

Yes, the code shows that if "ignore_system_acls = yes" then
validate_nt_acl_blob() merely returns the security.NTACL
blob read from the filesystem and ignore the underlying
filesystem ACL store (be it POSIX or anything else).

More information about the samba-technical mailing list