[Samba] ACLs on Samba share not preserved when copying with Windows Explorer

Andrew Martin amartin at xes-inc.com
Wed Aug 12 16:13:31 UTC 2015

----- Original Message -----
> From: "Rowland Penny" <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Sent: Wednesday, August 12, 2015 1:46:53 AM
> Subject: Re: [Samba] ACLs on Samba share not preserved when copying with Windows Explorer
> >>
> > Hi Rowland,
> >
> > This Samba 3 server is joined to a Samba 4 AD domain using winbind.
> >
> > Can you elaborate on how I am attempting to enforce UNIX permissions?
> > As far as I am aware, I am only setting the necessary octal bits in
> > order to be able to configure the POSIX ACLs.
> >
> > Thanks,
> >
> > Andrew
> >
> Hi Andrew, Unix permissions == POSIX ACLs i.e the rwx bits you get from
> ls -la /some/directory_or_file. You need to use either POSIX ACLs or set
> the permissions from windows (or with setfacl), do not try and mix them
> as you are doing.


My understanding is that there are 3 different permission systems:
 - basic UNIX octal permissions (rwx for owner, group, others)
 - POSIX ACLs (managed by getfacl/setfacl): http://linux.die.net/man/5/acl
 - Windows/ZFS/NFSv4 ACLs (managed by nfs4_getfacl/nfs4_setfacl)

My understanding is that Samba handles mapping between Windows ACLs and 
POSIX ACLs, is this not correct?

When configuring the ACLs on my share, I have used setfacl exclusively for
configuring permissions (as you suggested), however the situation I described
originally is the result. 

----- Original Message -----
> From: "Ali Bendriss" <ali.bendriss at gmail.com>
> To: "Andrew Martin" <amartin at xes-inc.com>
> Cc: "buhorojo" <buhorojo.lcb at gmail.com>, samba at lists.samba.org
> Sent: Tuesday, August 11, 2015 5:45:04 PM
> Subject: Re: [Samba] ACLs on Samba share not preserved when copying with Windows Explorer
> Hi,
> Cant say nothing about the different behaviour between your application
> and windows explorer. But if you want to look further or find a
> workaround, you may check the man page of smb.conf
> as a starting point search for the section about :
> - inherit acls
> - inherit permissions


Setting "inherit acls = yes" on the share seems to have corrected the
problem! One question I have is that the smb.conf manpage states "Enabling 
this option sets the unix mode to 0777, thus guaranteeing that default 
directory acls are propagated." 

In my test case, the files created inside of the share after setting
"inherit acls" are still 770 as expected, not 777 as the manpage seems
to indicate. The parent directory is 770, so are the files just inheriting
the parent directory's octal permissions, despite what the manpage says?



More information about the samba mailing list