[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

Wes Deviers wdevie at hrcsb.org
Wed Sep 16 09:18:58 MDT 2009


I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3.  
They worked fine, or at least as fine as NT -> POSIX mapping ever did.  After 
testing 3.3 with acl_xattr on using a different machine, I decided to give it a 
whirl on the production server.  And yes, I know it's experimental.

I defined a share thusly:
vfs objects = acl_xatt
acl map full control = true
inherit acls = yes
map acl inherit = yes
map read only = Permissions
nt acl support = yes
acl group control = true
dos filemode = yes
enable privileges = yes
store dos attributes = yes

This is identical to the setup on the test machine, which worked correctly.

On the production machine, trying to set ACLs via XP's Explorer interface 
fails with a permission denied.  The log:

set_canon_ace_list: sys_acl_set_file type file failed for file TestDirectory/Test 
(Operation not supported).

Having both POSIX ACL and the VFS object turned on produced some interest 
results, so last night I unmounted /samba, turned off -o acl, and remounted it.  
It now has user_xattr turned on, but -o acl is *off*.  Restarted Samba, 
everything seemed to work.

In the harsh light of users' morning, it appears that Samba is still trying to 
use the POSIX ACL layer to store ACLs, although that's a best guess based on 
the error message.

How can I insist that Samba use the vfs object ACL module, instead of the 
POSIX acls?



More information about the samba mailing list