[Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon

Rowland Penny rpenny at samba.org
Fri Sep 21 08:11:21 UTC 2018

On Fri, 21 Sep 2018 09:35:13 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai Rowland, 
> So far i've seen, the output of getfacl is exact of what is set in
> secrutiy.NTACL. If that isnt the case then we have a problem in my
> opinion. And you could compair it with :  getfattr -n security.NTACL
> yourFile/folder 
> And I would not ignore the getfacl even with the known limitation of
> the "SYSTEM" and some other BUILTIN\xxx..  Users/groups. As long we
> see these (missing) names/groups in numbers im fine with it. Linux is
> not windows. 
> Imo, setting like this has only one problem, changing to much with
> CHMOD/CHOWN, that might kill the acls and you need to set it again
> This is why you set it, export the settings with getfacl ( if needed
> recusive ) handy to have that if you need to recover. You set the
> acls in linux first en from windows again and the both match again.
> Just dont touch it after you've set it. 
> Om totaly open for a better setup ;-) and if im wrong here please
> tell me, only with comments, we learn. 

Try reading 'man vfs_acl_xattr'

This plainly says that ACLs are stored in the EA 'security.NTACL'

It also says that when 'acl_xattr:ignore system acls' is set to
'yes',  it will not map to or from the POSIX Layer i.e. the Unix OS.

It also says the following settings will be enforced:

    create mask = 0666
    directory mask = 0777
    map archive = no
    map hidden = no
    map readonly = no
    map system = no
    store dos attributes = yes


More information about the samba mailing list