[Samba] POSIX ACLs vs. EA security.NTACLs

TAKAHASHI Motonobu monyo at monyo.com
Thu Feb 3 09:19:50 MST 2011

2011/2/3 Robert W. Smith <rwsmith at bislink.net>:
> This might be more inclusive if I said, Linux Permissions vs POSIX ACLs
> vs vfs_xattr.
> 1) Does Samba maintain the consistency between all of the stored NTFS
> attributes and POSIX ACLs when using vfs_xattr?

Only one way, from NTFS attributes to POSIX ACLs.

> 2) When might the POSIX ACL not be in sync with the vfs_xattr EA stored
> in security.NTACL when using Samba?

As far as I examined at Samba 3.5.6, the consistency is almost kept.
But in prior version, is not. And ACL inherit flag can not work well.


> 4) With 'inherit acls = yes' what does 'default acl' imply? All ACLs on
> the file/directory or just those preceded with the tag 'default'?

'inheit acls = yes' only affects the *permissions* (not any ACLs)  for
child files or
directories. Read smb.conf(5).

But if "inherit permissions = yes", "inherit acls" is always ignored.

> 7) Currently, if a users comes to me and says, 'I need the lawyer to
> have access to file XYZ', I would grant the POSIX ACL using the Linux
> CLI with, # setfacl -m g:mud-suckers:rw, without regard to the users OS
> platform. With vfs_xattr, do I now need to somehow 'sync' the POSIX ACL
> with the security.NTACL EA? If yes, how?

Under acl_xattr enabled, you should not set POSIX ACLs manually.
You have no way to sync.

> 5) For the astute reader, since this is a Samba share, I force the group
> to be 'domusers' (DOMAIN\Domain Users in Win) for new files/directories.
> Will this always be the Linux permission group? Will this overwrite the
> Linux group 'users' of existing files or new files where permissions and
> ACLs are inherited?

"force group" only affects the permission group for new files/directories.

> 6) I want to always ensure both the Linux only group 'users' and the
> 'domusers' (which include both Linux and Windows users and Win only
> users) are enabled on all files/directories on this share. Hey, I'll
> give my silver dollar to the person who can come up with a configuration
> that will solve this with both NFS and Samba!

I recommend:
1) to set owner and group to root,
2) add g:users:rwx and g:domusers:rwx to the default ACL

> 3) If both POSIX ACL and security.NTACL exist on a file/directory, which
> does smbcacls show? What does Win* Properties-->Security show? What does
> smbclient show?

Maybe NTACL is shown.
Remember, POSIX ACL is used to determine if access is allowed or not.
NTACL is not referred.

TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list