[Samba] ACLs on Samba share not preserved when copying with Windows Explorer

Rowland Penny rowlandpenny241155 at gmail.com
Wed Aug 12 16:24:10 UTC 2015

On 12/08/15 17:13, Andrew Martin wrote:
> ----- Original Message -----
>> From: "Rowland Penny" <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Sent: Wednesday, August 12, 2015 1:46:53 AM
>> Subject: Re: [Samba] ACLs on Samba share not preserved when copying with Windows Explorer
>>> Hi Rowland,
>>> This Samba 3 server is joined to a Samba 4 AD domain using winbind.
>>> Can you elaborate on how I am attempting to enforce UNIX permissions?
>>> As far as I am aware, I am only setting the necessary octal bits in
>>> order to be able to configure the POSIX ACLs.
>>> Thanks,
>>> Andrew
>> Hi Andrew, Unix permissions == POSIX ACLs i.e the rwx bits you get from
>> ls -la /some/directory_or_file. You need to use either POSIX ACLs or set
>> the permissions from windows (or with setfacl), do not try and mix them
>> as you are doing.
> Rowland,
> My understanding is that there are 3 different permission systems:
>   - basic UNIX octal permissions (rwx for owner, group, others)
>   - POSIX ACLs (managed by getfacl/setfacl): http://linux.die.net/man/5/acl
>   - Windows/ZFS/NFSv4 ACLs (managed by nfs4_getfacl/nfs4_setfacl)

The problem is people call these by different names :-)

What I was trying to get across (and failing it would seem) is that 
setting 'create mask' etc in smb.conf is a bad thing if you want to use 
'POSIX ACLs' (as you call them) as well. They tend to react with each 
other, so you should just use one or the other, not both. If you have 
windows clients then I would go with just the 'POSIX ACLs' and set these 
from windows, remove the 'create mask' settings from samba conf (I would 
check the other share settings as well, two of your settings mean the 
same thing).


> My understanding is that Samba handles mapping between Windows ACLs and
> POSIX ACLs, is this not correct?
> http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/23_AccessControls_25.html
> When configuring the ACLs on my share, I have used setfacl exclusively for
> configuring permissions (as you suggested), however the situation I described
> originally is the result.
> ----- Original Message -----
>> From: "Ali Bendriss" <ali.bendriss at gmail.com>
>> To: "Andrew Martin" <amartin at xes-inc.com>
>> Cc: "buhorojo" <buhorojo.lcb at gmail.com>, samba at lists.samba.org
>> Sent: Tuesday, August 11, 2015 5:45:04 PM
>> Subject: Re: [Samba] ACLs on Samba share not preserved when copying with Windows Explorer
>> Hi,
>> Cant say nothing about the different behaviour between your application
>> and windows explorer. But if you want to look further or find a
>> workaround, you may check the man page of smb.conf
>> as a starting point search for the section about :
>> - inherit acls
>> - inherit permissions
> Ali,
> Setting "inherit acls = yes" on the share seems to have corrected the
> problem! One question I have is that the smb.conf manpage states "Enabling
> this option sets the unix mode to 0777, thus guaranteeing that default
> directory acls are propagated."
> In my test case, the files created inside of the share after setting
> "inherit acls" are still 770 as expected, not 777 as the manpage seems
> to indicate. The parent directory is 770, so are the files just inheriting
> the parent directory's octal permissions, despite what the manpage says?
> Thanks,
> Andrew

More information about the samba mailing list