[Samba] POSIX ACLs vs. EA security.NTACLs

Jeremy Allison jra at samba.org
Thu Feb 3 11:21:48 MST 2011

On Fri, Feb 04, 2011 at 01:19:50AM +0900, TAKAHASHI Motonobu wrote:
> 2011/2/3 Robert W. Smith <rwsmith at bislink.net>:
> > 7) Currently, if a users comes to me and says, 'I need the lawyer to
> > have access to file XYZ', I would grant the POSIX ACL using the Linux
> > CLI with, # setfacl -m g:mud-suckers:rw, without regard to the users OS
> > platform. With vfs_xattr, do I now need to somehow 'sync' the POSIX ACL
> > with the security.NTACL EA? If yes, how?
> Under acl_xattr enabled, you should not set POSIX ACLs manually.
> You have no way to sync.

What will happen is that smbd will notice the NTACL and the POSIX ACL
are no longer in sync (hash value changed) and delete the NTACL stored
in the EA and re-sync with POSIX automatically.

> > 3) If both POSIX ACL and security.NTACL exist on a file/directory, which
> > does smbcacls show? What does Win* Properties-->Security show? What does
> > smbclient show?
> Maybe NTACL is shown.
> Remember, POSIX ACL is used to determine if access is allowed or not.
> NTACL is not referred.

NTACL is shown. NTACL can deny additional access, but not override POSIX ACLs.
Both are considered when accessing a file.

A *lot* of new work has gone into this in 3.5.7 and Samba this
version now passes the torture4 ACL tests (which are *really* nasty :-).


More information about the samba mailing list