Is "acl_xattr:ignore system acl = yes" recommended?

Rowland Penny rpenny at
Mon Jul 26 19:16:54 UTC 2021

On Tue, 2021-07-27 at 06:23 +1200, Andrew Bartlett via samba-technical
> In our wiki:
> there is the fairly strong suggestion to set:
>  acl_xattr:ignore system acl = yes
> I feel like this is a fairly bad idea, we should defer to the kernel
> unless we really know that just doesn't work.
> But I don't fileserver every day, so I wanted to ask first.
> What is the broader view on this option?
> Andrew Bartlett

I added it to the wiki because Louis recommends it (a lot) and after a
thread on the mailing list (if I remember correctly), also Andrew
hasn't given the full context:

If you are setting the shares permissions from Windows (recommended),
you should add this line to your share:

acl_xattr:ignore system acl = yes

This will make Samba ignore the system ACL's (ugo). 

I also do not see where the kernel comes in here, as in 'man
vfs_acl_xattr' it says:

acl_xattr:ignore system acls = [yes|no]
   When set to yes, a best effort mapping from/to the POSIX ACL layer
   will not be done by this module. The default is no, which means
   that Samba keeps setting and evaluating both the system ACLs and
   the NT ACLs. This is better if you need your system ACLs be set for
   local or NFS file access, too. If you only access the data via
   Samba you might set this to yes to achieve better NT ACL

To me, that means with 'acl_xattr:ignore system acls = yes' set, the
normal Unix 'ugo' permissions are not changed, so where does the kernel
come in ?


More information about the samba-technical mailing list