[Samba] Issue with acl_xattr:ignore system acls in 4.5rc2

Eric Eastman eric.eastman at keepertech.com
Thu Aug 18 13:57:36 UTC 2016


Hi Ralph,

>> The line causing the problem with 4.5rc2 is:
>>   acl_xattr:ignore system acls = yes
>
> this change was introduced in
> <https://bugzilla.samba.org/show_bug.cgi?id=12028>
>
> Before explaining the gory details, one question: why are you setting
> this option?

I am setting this option per the vfs_acl_xattr.8 man page
recommendations. Using a Windows system I setup a Home directory under
the root directory, /zzz/Home in this case, and that directory gets
the needed NT ACLs  when it is created.  Not having access to /zzz on
my Windows AD was a surprise when I started testing 4.5, as this has
worked for me since 4.1.x. Other then creating /zzz, all access to the
/zzz/Home tree is done using shared SMB mounts from Linux and Windows.

> As this severly impacts existing setups, we have three options to
> address this:
>
> 1. Revert it,
> 2. Document it, or
> 3. Do it differently
>
> 1. Revert it
>
> Brings back the original problem: not behaving as a Windows server and
> in certain situations unexpectedly exposing system POSIX permissions
> as described in the above bug.

I would not revert it, but per other recommendations, having a legacy
option would be nice.

> 2. Document it
>
> One could argue that this works as designed, so just add a big note to
> the release notes so people are aware of this change. As everybody
> reads release notes, there'll be no surprise. :)

This would have been very helpful.  I read the release notes before
starting my 4.5 testing, and re-read them as soon as I hit this issue.
A note in the man page that states how this function changed in 4.5
would also be helpful.

> 3. Do it differently

Now that I understand what is going on, I have no problems with the
change.  It was just a surprise that cost me some time to figure it
out.

Thank you for the detailed information.

Eric



More information about the samba mailing list