[Samba] icacls 'DENY' and Unix user execute bit

Ken Bass kbass at kenbass.com
Sun Nov 21 17:32:13 UTC 2021

On 11/20/21 4:25 AM, Rowland Penny via samba wrote:
> On Fri, 2021-11-19 at 19:00 -0500, Ken Bass via samba wrote:
>> Hi Rowland,
>> On the SERVER side:
>> -rwxrwx---+ 1 user testshare users 16 Nov 19 16:11 test.txt
> Yes, you are using ACL's, note the '+' at the end of the Unix
> permissions.
> What does 'getfacl test.txt' produce ?
>> On the CLIENT side, where this share is mounted via cifs in
>> /etc/fstab
>> -rwxrw---- 1 user testshare users 16 Nov 19 16:11 test.txt
> However, the cifs mounted share doesn't seem to be using using ACL's

Looking further... I see via /proc/mounts that mount.cifs inserts 
'nounix' into the mount options.

According to manpage

               Disable the Unix Extensions for this mount. This can be 
useful in order to turn off multiple settings at once. This includes 
POSIX  acls,  POSIX  locks,  POSIX
               paths, symlink support and retrieving uids/gids/mode from 
the server. This can also be useful to work around a bug in a server 
that supports Unix Extensions.

So does this explain why there are no ACLs showing up on the client side 
(no + sign in the ls -la)? And trying to enable it... 'VFS: Server does 
not support mounting with posix SMB3.11 extensions'

Other than using SMB1, how are these ACL's showing up correctly for 
other people?

(I am using Version 4.13.14-Ubuntu everywhere - clients, servers, and AD)

More information about the samba mailing list