[Samba] Is it possible to clone an NT ACL from one file or dir to a totally different file or dir ?

Ken McDonald ken at generation.tech
Sun Mar 25 00:20:10 UTC 2018

Can I use a command like this to clone an NT ACL?

getfattr -n security.NTACL templateFile | sed -e 
's/templateFile/realFile/' | sudo setfattr --restore=-

I can see that the attribute gets copied over but when I view the ACL in 
Windows security tab it's not the same ACL, it's much bigger and 
includes all kinds of default-like stuff. I'm trying to find a way to 
update permissions on a mass amount of files without using the existing 
Windows/Samba tools which take days to complete on large datasets.

Right now, I have this process, but it's not working and I don't 
understand why.

1) Setup template example file or directory with the desired permission 
structure (call it templateFile here)

2) Create or use an existing destination/target file or directory (call 
it realFile here)

3) Remove all existing perms on realFile:

setfacl -b realFile

setfattr -x user.DOSATTRIB realFile

sudo setfattr -x security.NTACL realFile

4) Clone the extended ACL:

getfacl templateFile | sudo setfacl -bnM - realFile

5) Clone the DOS attributes

getfattr -d templateFile | sed -e 's/templateFile\/realFile/' | setfattr 

6) Clone the NTACL

getfattr -n security.NTACL templateFile | sed -e 
's/templateFile/realFile/' | sudo setfattr --restore=-

By default, step 4 takes forever to run on large datasets because it 
uses named entities. My ultimate plan was to use the numeric user/group 
id's in that step instead of named ones so the Winbind cost is not 
incurred. Seems for the whole process, the calls to Winbind to resolve 
the named entity to it's numeric ID are the reason for the slowdown. 
That's why, even when using the normal Windows security tab or 
samba-tool, it takes days to update large datasets. I'm exploring 
options around that issue.

More information about the samba mailing list