[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

L.P.H. van Belle belle at bazuin.nl
Fri Sep 21 07:35:13 UTC 2018

Hai Rowland, 

> If you use 'ignore systemacls', then you must also ignore the 
> output of getfacl. This is because you are telling Samba to only use the ACLs
> found in the EA 'security.NTACL' for the share and these can be, and
> probably are, different from what getfacl shows.
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

So far i've seen, the output of getfacl is exact of what is set in secrutiy.NTACL. 
If that isnt the case then we have a problem in my opinion. 
And you could compair it with :  getfattr -n security.NTACL yourFile/folder 

And I would not ignore the getfacl even with the known limitation of the "SYSTEM" and some other BUILTIN\xxx..  Users/groups. 
As long we see these (missing) names/groups in numbers im fine with it. Linux is not windows. 

Imo, setting like this has only one problem, changing to much with CHMOD/CHOWN, 
that might kill the acls and you need to set it again FROM WINDOWS! 

This is why you set it, export the settings with getfacl ( if needed recusive ) handy to have that if you need to recover.
You set the acls in linux first en from windows again and the both match again. 
Just dont touch it after you've set it. 

Om totaly open for a better setup ;-) and if im wrong here please tell me, only with comments, we learn. 



More information about the samba mailing list