[Samba] POSIX vs. Windows ACLs

Patrick Goetz pgoetz at math.utexas.edu
Wed Nov 3 19:53:52 UTC 2021

Hi Marco -

On 11/3/21 11:37, Marco Gaiarin via samba wrote:
> Mandi! Patrick Goetz via samba
>    In chel di` si favelave...
> I'm using POSIX ACL, and as Jeremy say, permission works; i've only code
> some script to 'sanitize' permissione to prevent bed behaviour (eg, in 'ugo'
> permsision 'g' is also the default mask for applying ACL, so you have to
> set explicitly the mask or set 'g' to '7').
> Only a note:
>> Currently the linux systems access files through NFS mounts, so no hope
> But consider also that NFSv3 have a limited amount of POSIX ACL that can
> manage (the protocol have a limited 'room' for ACL, so if you set very
> complex ACL on some object, you could have 'truncated' ACL n nfs mounted
> share).
> You can switch to NFSv4, but ACL are different things (rather still
> supported by samba).

I only use NFSv4, but pretty extensively use POSIX ACLs in NFS-mounted 
filesystems.  This has worked remarkably well.  I can, for example, do

    setfacl -d -m g:smith-lab-users:rX cryoimages
    setfacl -R -m g:smith-lab-users:rX cryoimages

on the NFS server, where smith-lab-users is an AD Security Group, then 
NFS mount cryoimages to another AD-bound linux workstation, and 
permissions work exactly as expected.

Once I realized that I can use AD Security Groups just like any other 
linux group (even better, because they're automatically shared with 
every domain member), this made my security admin much simpler.

> Currently i'm using CIFS also in UNIX...

More information about the samba mailing list