Rowland Penny rpenny at samba.org
Tue Jul 31 07:58:19 UTC 2018

On Mon, 30 Jul 2018 16:34:50 -0700
Jeremy Allison <jra at samba.org> wrote:

> On Mon, Jul 30, 2018 at 09:01:57PM +0100, Rowland Penny via
> samba-technical wrote:
> > 
> > Hello,
> > 
> > In 'man vfs_acl_xattr' under 'OPTIONS' there is this:
> > 
> > acl_xattr:ignore system acls = [yes|no]
> >     When set to yes, a best effort mapping from/to the POSIX ACL
> > layer will not be done by this module. The default is no, which
> > means that Samba keeps setting and evaluating both the system ACLs
> > and the NT ACLs. This is better if you need your system ACLs be set
> > for local or NFS file access, too. If you only access the data via
> >     Samba you might set this to yes to achieve better NT ACL
> >     compatibility.
> > 
> > By my reading, this means by default, Samba will reset
> > 'security.NTACL' if the ACL's are changed (with setfacl for
> > instance) or if you change the EA with setfattr etc the ACL's will
> > be reset. However, if 'acl_xattr:ignore system acls = yes' is set,
> > should this mean that the ACL's are not changed if the EA is
> > changed ? 
> Yes, the code shows that if "ignore_system_acls = yes" then
> validate_nt_acl_blob() merely returns the security.NTACL
> blob read from the filesystem and ignore the underlying
> filesystem ACL store (be it POSIX or anything else).

Oh good, I hoped that was the case, well it doesn't.

If I create a dir, chmod 0777, chown root:BUILTIN\Administrators, then
check with 'ls' I get back what I expect 'drwxrwxrwx' (note the lack of
'+' that denotes further ACL's are set)

If I then use 'samba-tool ntacl set' to set 'security.NTACL' on the dir
using a sddl that starts 'O:BAG:SYD:PAI(', when I check it with
'samba-tool ntacl get', I get back a totally different sddl which
starts 'O:LAG:BAD:('. Also the directory permissions has sprouted a '+'
on the end and there are multiple ACL's shown by getfacl. The share has
'acl_xattr:ignore system acls = yes' set.

I am sure somebody is going to say that I am not setting them through
Samba, I am setting them on the OS, but this needs to be fixed because
it explains why sysvolcheck keeps throwing an error.

Has anybody got any idea how to make 'samba-tool ntacl set' ignore the
system ACL's if 'acl_xattr:ignore system acls = yes' is set ?


More information about the samba-technical mailing list