[Samba] ACLs, groups and suid-bit?

Harald Hannelius harald+samba at arcada.fi
Tue Sep 8 14:45:23 UTC 2020

On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> On 08/09/2020 14:43, Harald Hannelius wrote:
>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>> On 08/09/2020 13:55, Harald Hannelius wrote:
>>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>> The 'new and improved way' is to make use of this:
>>> vfs objects = acl_xattr
>> This doesn't say much to me (reading the man-page of smb.conf). Does it 
>> mean to store ACL's in the extra attributes in the underlying filesystem?
> Yes, it works like this:
> there is the normal Unix 'ugo' permissions
> Then there are permissions that can be set with setfacl, these are stored in 
> an acl
> Finally there are the permissions that are created from Windows which are 
> stored  in extended attributes.


>>> You set the permissions from Windows, try reading this:
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> If I don't have a Windows computer, can I use setfacl or chmod?
> You could try setfacl

Good, until now I haven't even used ACL on that filesystem. setgid and chmod 
have been enough until now.

>> Can I just stop using ACL's and go back to the old way of reading the 
>> permissions from the unix permissions? User's don't know how to, don't have 
>> the interest to, or don't want to do this themselves. Nor do I want to 
>> manage the ACL's at all, most certainly not through a GUI (on Windows).
> No, you are running an AD domain now.

As per my other reply that (sadly) forked this thread 'nt acl support = No' 
and 'inherit permissions = Yes' did exactly what I wanted.

I couldn't understand why files created in a directory with group 'it' and 
setgid set didn't get to be owned by the group 'it' but rather by the group 

>> I have to test 'inherit permissions (S)' as well.
>> What I want is for new files in the directory to have the same (unix) group 
>> ownership as the directory has. And that they have write permission for 
>> that unix-group.
> OK, stop using your group, (which raises a question: you have (unix) above, 
> does this mean a group in /etc/group or a group in AD with a gidNumber 
> attribute ?), use Domain Users instead, all yours are members of Domain 
> Users.

By unix-group I actually meant the group on the filesystem (gidNumber). This 
resolves through winbind to an AD-group.

But now I have directories each with their own group, and with the 
setgid- and write-bit set. And directories created under this get the 
same group owner ship as the parent dir, the group write- and setgid bit, 
and files created get the group ownership of the parent dir and the group 
write bit set.

I think it's best for this implementation to not use ACL's.


Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list