[Samba] icacls 'DENY' and Unix user execute bit

Rowland Penny rpenny at samba.org
Sun Nov 21 18:51:20 UTC 2021

On Sun, 2021-11-21 at 12:32 -0500, Ken Bass via samba wrote:
> On 11/20/21 4:25 AM, Rowland Penny via samba wrote:
> > On Fri, 2021-11-19 at 19:00 -0500, Ken Bass via samba wrote:
> > > Hi Rowland,
> > > 
> > > On the SERVER side:
> > > 
> > > -rwxrwx---+ 1 user testshare users 16 Nov 19 16:11 test.txt
> > Yes, you are using ACL's, note the '+' at the end of the Unix
> > permissions.
> > 
> > What does 'getfacl test.txt' produce ?
> > 
> > > On the CLIENT side, where this share is mounted via cifs in
> > > /etc/fstab
> > > 
> > > -rwxrw---- 1 user testshare users 16 Nov 19 16:11 test.txt
> > However, the cifs mounted share doesn't seem to be using using
> > ACL's
> Looking further... I see via /proc/mounts that mount.cifs inserts 
> 'nounix' into the mount options.
> According to manpage
> noposix|nounix|nolinux
>                Disable the Unix Extensions for this mount. This can
> be 
> useful in order to turn off multiple settings at once. This includes 
> POSIX  acls,  POSIX  locks,  POSIX
>                paths, symlink support and retrieving uids/gids/mode
> from 
> the server. This can also be useful to work around a bug in a server 
> that supports Unix Extensions.
> So does this explain why there are no ACLs showing up on the client
> side 
> (no + sign in the ls -la)? And trying to enable it... 'VFS: Server
> does 
> not support mounting with posix SMB3.11 extensions'
> Other than using SMB1, how are these ACL's showing up correctly for 
> other people?
> (I am using Version 4.13.14-Ubuntu everywhere - clients, servers, and
> AD)

'unix extensions' only work with SMBv1, so unless you have set 'server
min protocol = NT1' in smb.conf on the server, you will not using them.
There is ongoing work to enable SMBv3 unix extensions, but they are no
where near complete, so I have no idea what that error message is

If you use acl_xattr, Samba stores permissions in three places:
The standard Unix 'ugo'
An acl that getfacl shows
An extended attribute

For a file in a share, 'ls -la' will show this:

rowland at devstation:~/tests$ ls -la /srv/share/test.txt 
-rwxrwxr-x+ 1 rowland domain users 0 Nov 21 18:09 /srv/share/test.txt

getfacl will show this:

rowland at devstation:~/tests$ getfacl /srv/share/test.txt 
getfacl: Removing leading '/' from absolute path names
# file: srv/share/test.txt
# owner: rowland
# group: domain\040users

Using 'samba-tool ntacl' will show this:

rowland at devstation:~/tests$ sudo samba-tool ntacl get
/srv/share/test.txt --as-sddl
[sudo] password for rowland: 

If you set the permissions from Windows, Samba will set the ACL's based
on the ACE's

If you are mounting a share using mount.cifs, then you are not using
Samba. If the mount is changing the permissions, you need to read 'man
mount.cifs'. If another program is changing the permissions, then you
need to ask that programs developers, just why it does this.


More information about the samba mailing list