[Samba] acl_xattr

Rowland Penny rpenny at samba.org
Fri Dec 16 16:23:55 UTC 2022

On 16/12/2022 15:53, Piviul via samba wrote:
> On 12/16/22 14:18, Rowland Penny via samba wrote:
>> On 16/12/2022 13:01, Piviul via samba wrote:
>>> I need to share a folder in a way that some groups members have write 
>>> permissions to the share and some other groups members can only read 
>>> files on the share, the others members can't access at all.
>>> I don't care about acl, all files/directory in the share should have 
>>> the same access.  Do you think that disabling acls in a such way
>>> vfs objects = acl_xattr
>>> acl_xattr:ignore system acls = yes
>>> valid users = <read groups list>,<write group list>
>>> read list   = <read groups list>
>>> write list  = <write group list>
>>> force group = staff
>>> create mask = 0664
>>> force create mode = 0664
>>> directory mask = 0775
>>> force directory mode = 2775
>>> would be a good idea
>> Well, NO
>> You only need the 'vfs objects' line in '[global]' and the path and 
>> 'read only = no' in the share, you then set the permissions from Windows.
>> if you do add 'acl_xattr:ignore system acls = yes' , it does what it 
>> says, Samba will ignore the system acls.
>> I suggest you read 'man vfs_acl_xattr' and this wiki page:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> If you want to set up Samba as you suggest, only do it on a Unix 
>> domain member and do not set 'vfs objects = acl_xattr'.
> there is no way, I can't ignore windows acl I have to use them... ok, 
> I'll try to use them.
> Piviul

If you use vfs_acl_xattr, then the permissions are set in three places:

The standard 'ugo' permissions
An EA that holds the extended permissions that 'getfacl' shows
Another EA that holds the Windows ACL's, these are composed of ACE's.

If you use 'acl_xattr:ignore system acls = yes', the first one is ignored.


More information about the samba mailing list