Is "acl_xattr:ignore system acl = yes" recommended?

Uri Simchoni uri at
Tue Jul 27 05:56:21 UTC 2021

On 7/26/21 9:23 PM, Andrew Bartlett via samba-technical wrote:
> In our wiki:
> there is the fairly strong suggestion to set:
>   acl_xattr:ignore system acl = yes
> I feel like this is a fairly bad idea, we should defer to the kernel
> unless we really know that just doesn't work.
> But I don't fileserver every day, so I wanted to ask first.
> What is the broader view on this option?
> Andrew Bartlett

I'm not recommending one way or the other because I don't remember the 
full set of implications, and it depends on use case, but in general, 
the system ACLs can get in the way of emulating a Windows file server 
using acl_xattr. If the files are to be accessed only via SMB and full 
NT emulation is desired, then we're better off ignoring system ACLs.

When system ACLs are ignored, the file has ugo permissions as set by 
smb.conf settings, SMB ACL modifications just change the xattr, and 
fetching the security descriptor for the purpose of access check is a 
matter of reading and parsing the xattr, and comparing the SIDs with the 
ones in the token. Notice that no network activity is involved here. If 
the xattr does not exist, the generated default ACL is something that 
makes sense in the Windows world.

When system ACLs are not ignored, the vfs_acl_xattr module also sets 
POSIX ACLs in a best effort way, but this doesn't always work well 
because the NT mode is much richer. One prominent thing that affects 
security is deny lists. POSIX ACLs are not (AFAIK) in common use, this 
hasn't even made it into a POSIX standard, so poking in them could be 
surprising to sys admins.

The translation from SID to unix ID could involve network traffic (if 
only to determine whether the SID is a user or group SID), could result 
attempt to contact a foreign domain, and I don't remember what happen if 
those fail - whether the operation is failed or we skip failed entries.

Additionally, if the POSIX acls are modified externally or by an SMB1 
client with POSIX extensions, smbd "forgets" the xattr blob and uses 
something derived from POSIX ACLs.

Finally, the default ACL used if the xattr blob doesn't exist is derived 
from system ACL and that's not always desirable - see


More information about the samba-technical mailing list