Is "acl_xattr:ignore system acl = yes" recommended?
Rowland Penny
rpenny at samba.org
Mon Jul 26 19:16:54 UTC 2021
On Tue, 2021-07-27 at 06:23 +1200, Andrew Bartlett via samba-technical
wrote:
> In our wiki:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> there is the fairly strong suggestion to set:
>
> acl_xattr:ignore system acl = yes
>
> I feel like this is a fairly bad idea, we should defer to the kernel
> unless we really know that just doesn't work.
>
> But I don't fileserver every day, so I wanted to ask first.
>
> What is the broader view on this option?
>
> Andrew Bartlett
>
I added it to the wiki because Louis recommends it (a lot) and after a
thread on the mailing list (if I remember correctly), also Andrew
hasn't given the full context:
If you are setting the shares permissions from Windows (recommended),
you should add this line to your share:
acl_xattr:ignore system acl = yes
This will make Samba ignore the system ACL's (ugo).
I also do not see where the kernel comes in here, as in 'man
vfs_acl_xattr' it says:
acl_xattr:ignore system acls = [yes|no]
When set to yes, a best effort mapping from/to the POSIX ACL layer
will not be done by this module. The default is no, which means
that Samba keeps setting and evaluating both the system ACLs and
the NT ACLs. This is better if you need your system ACLs be set for
local or NFS file access, too. If you only access the data via
Samba you might set this to yes to achieve better NT ACL
compatibility.
To me, that means with 'acl_xattr:ignore system acls = yes' set, the
normal Unix 'ugo' permissions are not changed, so where does the kernel
come in ?
Rowland
More information about the samba-technical
mailing list