[Samba] 4.15 windows ACL share. Not taking?

Rowland Penny rpenny at samba.org
Mon Feb 28 19:26:27 UTC 2022

On Mon, 2022-02-28 at 19:08 +0000, Manu Baylac via samba wrote:
> 	Hello Rowland,
> I did more tests, and :
> If I put acl_xattr:ignore system acls = yes in my share, it "fails",
> the
> "+" isn't here and my Windows ACL not applied.

Your Windows ACL is being applied, just not where you think it is. If
you read the line, it tells you what it will do, it will ignore the
system acls.

Samba will potentially store permissions in three places:

The normal Unix acl (ugo)
An extended ACL set by 'setfacl' and shown by 'getfacl' (this is where
the '+' comes from)
Windows ACLs stored in an Extended attribute (aka EA)

If you do not set 'acl_xattr:ignore system acls = yes' a best effort
will be done to map the windows ACLs to the Unix acls, this where ugo
and setfacl come in. If you do set it, the mapping will not be done.
> But if I comment this line and then my share is only :
> [TEST]
> #       acl_xattr:ignore system acl = yes

That is not a valid line, so it will not be used, even if you uncomment

>          path = /srv/samba/TEST/
>          read only = no
> Then all works fine, the "+" is back and I can config ACL with total
> success.

Yes, but why are you adding that line (even if it is wrong) if want to
use setfacl ?


More information about the samba mailing list