[Samba] NT ACL preservation

Andrew Hart fraggle at achart.me.uk
Tue Nov 10 03:22:12 UTC 2015

Hey, hoping I can get some guidance on how this works.

I've got a running samba standalone setup.  On one of my shares, I want to
preserve the ACL of files as they come from the client (Win 7), in essence
acting as a file backup.  My setup for this share is currently:

valid users = @wheel
public = no
writeable = yes
vfs objects = btrfs acl_xattr
# acl_xattr: ignore system acls = yes
# map acl inherit = yes
store dos attributes = yes

My problem is that at some point in the chain, the ACLs are getting
stripped out.  When I pull files back, they simply inherit the permissions
of the target folder.

I currently have two test files with different permission settings that I
use to try to work out what is going on.  If I getfattr -n security.NTACL,
the output for each file is slightly different, but smbcacls gives the
same output for both files.  Uncommenting the map acl inherit line creates
the user.SAMBA_PAI, but I don't really have a clue what doing that does or
doesn't get me, so not sure whether to use it.  I'm pretty sure I want
'ignore system acls' but uncommenting that line results in the test files
no longer getting either security.NTACL or user.SAMBA_PAI.  I've had a
rummage through the logs, but nothing seems to indicate a problem,
although I'm not sure what I'd be looking for.

I know copying by Windows Explorer results in stripping out permissions,
but is there a preferred way on windows to send files to the share for
this purpose?  I've tested with Robocopy and FreeFileSync.  They both
result in the behaviour described above.

Any suggestions would be greatly appreciated!


Andrew Hart

Using Opera's mail client: http://www.opera.com/mail/

More information about the samba mailing list