[Samba] permissions, and maybe a violation of the least surprise principle

Achim Gottinger achim at ag-web.biz
Wed Nov 10 10:41:31 UTC 2021

Am 10.11.2021 um 10:56 schrieb Patrick Goetz via samba:
> On 11/9/21 09:14, Achim Gottinger via samba wrote:
>> For sysvol replication i use rsync with rsyncd (no scp involved) on ext4 without problems since a few years. Also works with zfs in the mix.
> This is a use case I'm particularly interested in, so curious about the specifics. You're saying you can rsync (with the appropriate flags) files from an XFS/ext4 filesystem to ZFS and the POSIX
> ACLs are preserved? I need to test this.
ZFS on linux support posix acl's since a while.


For the ZFS volume these settings are recommended

|zfs set xattr=sa pool/volume zfs set acltype=posixacl pool/volume|||

You may want to look into aclinherit and aclmode as well. https://linux.die.net/man/8/zfs. Can be you also need aclinherit=passthrough.

For replication i use this line. Rsyncd is not an requirement for -XA to work, tested it yesterday.

|rsync -XAavz --delete-after --password-file=/etc/samba/rsync-sysvol.secret rsync://sysvol-replication@dc1/SysVol/ /var/lib/samba/sysvol/ |

Comparing xattrs for files transferred this way with below command show they are identical. Same with acls using getfacl but my acls are not that complex and I use a copied idmap.ldb from dc1 on dc2
so that builtin/well known sid's get the same uid's and gid's on linux.

getfattr -n security.NTACL filename

The manpage for vfs_acl_xattr is worth readings.
I'm moving towards "acl_xattr:ignore system acls = yes" here because all my shares are only accessible via samba only. It is simpler to maintain. I do not know if there is an command line tool to
manage permissions with xattrs on linux.


More information about the samba mailing list