[Samba] mixing Windows ACL and POSIX ACL shares on one server?

Rowland penny rpenny at samba.org
Thu Nov 14 22:00:21 UTC 2019

On 14/11/2019 21:33, Matthias Leopold wrote:
> Am 14.11.19 um 22:12 schrieb Rowland penny via samba:
>> On 14/11/2019 20:45, Matthias Leopold via samba wrote:
>>> Hi,
>>> I posted a similar question in 2018 with no answers, so I'll try again:
>>> Is it possible to have shares with Windows ACLs and shares with 
>>> POSIX ACLs on the same server (security = user)? Since share 
>>> permissions are handled differently for both types of shares I'm not 
>>> sure if this will work. I know I could try it out myself, but the 
>>> question again just came to my mind and I think there will be clear 
>>> answer by someone who knows.
>>> thank you
>>> Matthias
>> 'security = user' means an NT4-style PDC or a standalone server, so 
>> you might be able to make this work, but it would mean using the same 
>> usernames etc everywhere. To make the share use Windows ACLs, you 
>> would have to add 'vfs objects = acl_xattr' to the share config.
>> Whether this is a good idea, I am not sure, I mean, what is the user 
>> case ? Why would you want to do this, you would probably be better 
>> off joining the machine to an AD domain and using Windows ACLs.
>> Rowland
> Thanks for answer. The use case is an existing server with LDAP 
> backend (I described it already here), that started with POSIX ACL 
> shares. I discovered the possibilities of Windows ACLs on another LDAP 
> backed server and now want to further use Windows ACLs on the first 
> server without touching the old shares. This might not look pretty, 
> but this is the situation when you deal with "historically grown" 
> setups. Similar situation with LDAP vs AD, I'd like to have an AD, 
> management does not.
> Matthias

I know it out of your hands but your management really needs to think 
again. There is ongoing work in Samba to remove the tests that rely on 
SMBv1 and you need SMBv1 for an NT4-style domain.

I am fairly sure you can get what you are proposing to work, but it will 
be a botch and Samba is littered with people using botches and they 
usually lead to trouble and cause further problems when they finally do 
upgrade, no matter what others might say ;-)


More information about the samba mailing list