Is "acl_xattr:ignore system acl = yes" recommended?

Uri Simchoni uri at
Tue Jul 27 08:12:35 UTC 2021

On 7/27/21 10:49 AM, Rowland Penny via samba-technical wrote:
>> regarding 0666/0777, I'm afraid that's enforced by the acl_xattr
>> module
>> if ignore_system_acls is set.
> Yes, but it very probably shouldn't be

That originates in and

The smbd process assumes the unix identity of the user that opened the 
connection, unless, maybe, "force user" is also used. Given that, a mask 
of 0600 will make the kernel get in the way again, so that's why the 
hard-coded setting of 0666/0777.

I agree that we could get the same result by setting "create mask" and 
"directory mask" manually -  it's largely a balance between getting the 
configuration options behave according to their name, getting the right 
configuration by default, and maintaining enough flexibility for all use 

I hope that helps,

More information about the samba-technical mailing list