[Samba] "ea support = yes" and "map acl inherit = yes"

Rowland penny rpenny at samba.org
Mon Oct 14 14:28:53 UTC 2019


On 14/10/2019 14:53, Matthias Leopold via samba wrote:
> Hi,
>
> I'm running Samba 4.8 servers with Windows ACL enabled shares 
> (following 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs). 
> This manual demands to set
>
> map acl inherit = yes
> store dos attributes = yes
>
> and requires extended attribute support from the share file system. So 
> far, so good. Now I shall upgrade to CentOS 7.7 which brings Samba 4.9 
> which changes "ea support" parameter default "yes". I don't know how 
> this relates to the above parameters.
Not much, it just means that you do not really need to have 'store dos 
attributes = yes' in smb.conf, but it will not harm anything if it is 
there.
>
> For "store dos attributes" man smb.conf says "This extended attribute 
> is explicitly hidden from smbd clients requesting an EA list". What 
> about "map acl inherit" and user.SAMBA_PAI? Is it safe to have "ea 
> support = yes" and and "map acl inherit = yes"? What are the benefits?

You still need 'map acl inherit' but do not need 'ea support = yes' and 
the Windows permissions are stored in an EA called 'security.NTACL'

You can read this with:

getfattr -n security.NTACL -d /path/to/share/directory

Rowland







More information about the samba mailing list