Is "acl_xattr:ignore system acl = yes" recommended?

Rowland Penny rpenny at
Tue Jul 27 07:49:31 UTC 2021

On Tue, 2021-07-27 at 10:30 +0300, Uri Simchoni via samba-technical
> On 7/27/21 9:31 AM, miguel medalha wrote:
> > Dear Uri
> > 
> > Does Samba have root access? If so, wouldn't it be possible, when
> > using "acl_xattr:ignore_system_acls = yes", to set permissions to
> > root:root and 600/700 instead of 666/777 and let Samba do the
> > translation and authorize access based only on what is set on the
> > "security.NTACL" extended attribute?
> > 
> > Best regards
> > Miguel Medalha
> > 
> > 
> (adding the list)
> To guarantee a specific unix owner for files in a folder exclusively 
> accessed by smbd (thereby getting the kernel out of the way or 
> implementing folder quota), the following scheme could be used:
> 1. set the desired owner on the (empty) root of the folder
> 2. set "inherit owner = unix only"
> 3. set acl_xattr:ignore_system_acls = true
> regarding 0666/0777, I'm afraid that's enforced by the acl_xattr
> module 
> if ignore_system_acls is set.

Yes, but it very probably shouldn't be, if something says 'ignore
system acls' and if set to 'yes' (please stop using 'true' and 'false',
'yes' and 'no' are a lot clearer) it should do just that, 'ignore' the
system acls, not set them to something else.

The problem would be if vfs_acl_xattr is used on a standalone server,
in which case 'ignore system acls' should be hardcoded to 'no', even if
set to 'yes' in smb.conf


More information about the samba-technical mailing list