[Samba] Is "acl_xattr:ignore system acl = yes" recommended?

miguel medalha medalist at sapo.pt
Tue Jul 27 07:04:53 UTC 2021

> It appears that it doesn't ignore the system acls, it sets them !

It sets them to "access to everyone" at the system level. This overall access is then filtered by the vfs_acl_xattr module to give the correct access to Windows users and groups. This enables a complete coverage of Windows permissions and speeds access because POSIX ACLs don’t need to be written or verified.

Please don't discard the whole principle in block. I think it makes sense, although maybe it is not implemented in the best way (those 666/777). 

Does Samba have root access? If so, wouldn't it be possible, when using "acl_xattr:ignore_system_acls = yes", to set permissions to root:root and 600/700 instead of 666/777 and let Samba access the file and allow/deny access to it based on what is set in the "security.NTACL" extended attribute?

More information about the samba mailing list