[Samba] Is it possible to clone an NT ACL from one file or dir to a totally different file or dir ?

Klaus Hartnegg hartnegg at gmx.de
Thu May 17 09:23:49 UTC 2018

On 07.04.2018 at 22:02 Ken McDonald wrote:
> By using deep extended attribute cloning, only getfattr is needed 
> because it includes the ACL entries normally configured by using 
> getfacl. This helped ...a lot... in reducing winbind username/group 
> lookup calls. The key line that clones POSIX/Windows ACL entries is this.
> getfattr -d -m - $1 | sed 1d | sed "1 i\# file: $ENCODED" | setfattr 
> --restore=-

I found this to be insufficient, and are using these two commands:

# transfer Unix-ACLs (and owner, group, and mode-bits):
cd $src; getfacl -R -n . | (cd $dst; setfacl --restore=-)

# transfer ATTRs (including Windows-ACLs, but not owner, group, or 
cd $src; getfattr -R -d -m - . | (cd $dst; setfattr --restore=-)

If I remember correct, the Unix owner, group and mode bits must also be 
copied, otherwise the Windows-ACLs will be ignored.

This requires traversing all directories twice, but the second run is 
usually a lot faster because caching, independend on the order in which 
the commands are run.

More information about the samba mailing list