[Samba] Issues with acl_xattr module

mitja at mttv.it mitja at mttv.it
Thu May 30 11:14:31 MDT 2013

Hi all, i'm new in this mailing list, i need some help with a problem i 
experience with my samba setup.

I set up a fileserver on top of debian 6 with samba-3.6.6 on an XFS 
filesystem partition.

I tried to use vsf acl_xattr for better windows compatibility and it 
seems generally working good, but i experience some strange behavior: I 
added two acls with different restrictions one for a user and the other 
for a group the user is member of, it seems that the more restrictive 
permissions are evaluated.

To reproduce the problem i used a domain user that is member of group1 
and that group1 has read-wrire(modify) permissions on the file i want to 
write to. As soon as i apply another acl with read-only permission on 
the same file for the specified user, i can't write to file anymore.
The very strange thing is that as i try to apply a read only acl to 
group and a read write acl to user i can write the file normally.

I dont know if this is some sort of my misconfiguration or wrong 
filesystem permision on top of the share i tried many variations 
including enabling end disabling acl_xattr:ignore system acls option. 
but no change.

Filesystem is XFS and comes with extended attributes enabled. Follows 
the global smb.conf and the share definition.

Any help will be appreciated.

Mitja Tavcar

         workgroup = INTRA
         realm = INTRA.COMUNE.TRENTO.IT
         server string = File server applicazioni
         security = ADS
         log file = /var/log/samba/%m-%U.smbd
         load printers = No
         printcap name = /dev/null
         disable spoolss = Yes
         local master = No
         domain master = No
         registry shares = Yes
         template shell = /bin/bash
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         idmap config INTRA : range = 10000-99999
         idmap config INTRA : backend = rid
         idmap config * : range = 1000000-2000000
         idmap config * : backend = tdb
         hosts allow =,

path = /smbmnt/disk_servizi/Servizi/pippo/
read only = no
browseable = No
store dos attributes = Yes
vfs objects = acl_xattr
acl_xattr:ignore system acls = Yes
ea support = Yes
inherit acls = Yes
guest ok = no
available = yes
inherit permissions = yes
map acl inherit = yes
acl map full control = no

More information about the samba mailing list