[Samba] ACL misbehavior moving from POSIX ACL -> acl_xattr

Jeremy Allison jra at samba.org
Wed Sep 16 10:56:11 MDT 2009

On Wed, Sep 16, 2009 at 11:18:58AM -0400, Wes Deviers wrote:
> List,
> I had Samba 3.0 running on Debian Lenny configured to use POSIX ACLs on ext3.  
> They worked fine, or at least as fine as NT -> POSIX mapping ever did.  After 
> testing 3.3 with acl_xattr on using a different machine, I decided to give it a 
> whirl on the production server.  And yes, I know it's experimental.
> I defined a share thusly:
> vfs objects = acl_xatt
> acl map full control = true
> inherit acls = yes
> map acl inherit = yes
> map read only = Permissions
> nt acl support = yes
> acl group control = true
> dos filemode = yes
> enable privileges = yes
> store dos attributes = yes
> This is identical to the setup on the test machine, which worked correctly.
> On the production machine, trying to set ACLs via XP's Explorer interface 
> fails with a permission denied.  The log:
> set_canon_ace_list: sys_acl_set_file type file failed for file TestDirectory/Test 
> (Operation not supported).
> Having both POSIX ACL and the VFS object turned on produced some interest 
> results, so last night I unmounted /samba, turned off -o acl, and remounted it.  
> It now has user_xattr turned on, but -o acl is *off*.  Restarted Samba, 
> everything seemed to work.
> In the harsh light of users' morning, it appears that Samba is still trying to 
> use the POSIX ACL layer to store ACLs, although that's a best guess based on 
> the error message.
> How can I insist that Samba use the vfs object ACL module, instead of the 
> POSIX acls?

You can't at the moment. Samba still requires the incoming
ACL to be converted into an underlying file system ACL, as
the underlying filesystem still must have the final decision
on access decisions. The NT acl is stored as an "extra" layer
of ACL metadata on top of this, which is also consulted.

You could slot in a "null" ACL module underneath the acl_xattr
layer that always allowed acl set and returned an "allow everyone"
acl on read, but that isn't coded yet (shouldn't be too hard

Currently if you want "native" NT ACLs only I suggest you
use the NFSv4 module, which is pretty close to native Windows


More information about the samba mailing list