[Samba] Bizarre - How did windows user setfacl for a file??

Greg Byshenk samba at byshenk.net
Thu Nov 13 15:32:36 GMT 2008

On Wed, Nov 12, 2008 at 01:46:45AM -0600, David C. Rankin wrote:
> 	In 8 years, since 2.02 (I think), I have never seen this behavior out of
> samba. I run a stand-alone server with WinXP clients. Somehow a legal assistant
> created (not intentionally mind you) files and directories with ACL attributes set:
> -rwxrwx---+ 1 cyndy ochiltree 21504 2008-10-28 16:48 AUTHORIZATION -
> employment.doc*
> -rwxrwx---+ 1 cyndy ochiltree 12804 2008-10-28 16:48 AUTHORIZATION -
> employment.pdf*
> drwxrwx---+ 2 cyndy ochiltree  4096 2008-10-29 16:56 Gregg, Joy/
> -rwxrwx---+ 1 cyndy ochiltree 44544 2008-10-28 16:32 POA - BG Contingency New.doc*
> -rwxrwx---+ 1 cyndy ochiltree 48309 2008-10-28 16:31 POA - BG Contingency New.pdf*
> drwxrwx---+ 2 cyndy ochiltree  4096 2008-10-29 16:51 Roper, Buddy/
> 	What in the heck? I found the setfacl --remove-all
> command that gets rid of this, but I'm still left wondering WTF happened in the
> first place? Moreover, how do I configure samba to make sure this never happens
> again? My config is: [...]

I'm not sure for exactly how long, but Samba has supported extended ACLs
for quite some time (if the underlying OS/filesystem has such support).

To ensure that it is not there, you can either a) build samba without
acl support; or b) disable extended ACLs on the filesystem.

As for why it changed for you, I notice that the default configuration
is now (for Samba-3.2.4, at least)

   --with-acl-support      Include ACL support (default=auto)

... which I believe means that it will build in ACL support if the 
system has it.  Perhaps this has changed recently?

greg byshenk  -  gbyshenk at byshenk.net  -  Leiden, NL

More information about the samba mailing list