[Samba] Samba, ACLs and 'primary group'...

Rowland penny rpenny at samba.org
Wed Feb 5 15:48:04 UTC 2020

On 05/02/2020 15:35, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>>> And my Windows client works happily!
>> If you only had Unix clients, then you could stick with this way of doing
>> things, but you have Windows clients, so you need to work the Windows way
>> and make your Unix clients work the same way.
> No. In these years i've worked with 'POSIX ACLs', setting up scripts to
> 'cleanup/sanitize' POSIX ACLs so they behave correctly on windows.
> I prefere to have (rather) simpler ACLs, but be able to manage it (also)
> from UNIX, in a UNIX way.
Exactly, 'these years' refer to running as an nt4-style domain. You are 
now running in an AD domain.
> Anyway, it is not true that 'Windows ACLs' is the only way to make
> domain member works in respect to windows client (clearly, domain
> controller is another story...).

No, using a DC as a fileserver is just like using a Unix domain member 
with 'acl_xattr', you MUST use Windows ACLs on a DC and you MUST use 
acl_xattr on a Unix domain member if you have Windows clients, which 
means you MUST use Windows ACLs.

FYI: there are three ACLs in play here, the standard Unix permissions 
'ugo', extended permissions that getfacl displays and and an EA that 
holds the permissions set from Windows.


More information about the samba mailing list