[Samba] SMB Windows ACL functionality

Bailey Allison ballison at 45drives.com
Tue Jul 12 01:58:20 UTC 2022

Good evening,


I am currently trying to setup an SMB share using Windows ACLs for
permissions per the article:


However I am running into a bit of confusion when it comes to actually
setting the share permissions on the root of the share.


Per the guide I have the following options set within samba:


map acl inherit = Yes

vfs objects = acl_xattr

acl_xattr:ignore system acls = yes


In addition, I have granted the "DOMAIN\Domain Admins" group the


In addition, I have changed the permissions on the shared directory to:


chmod 0770 /mnt/smb

chown root:"DOMAIN\Domain Admins" /mnt/smb


When attempting to set permissions through Windows, I am noticing that there
is listed as users: root, Domain Admins, and SYSTEM, which is to be
expected. I believe the issue is coming from as root as well as SYSTEM is
listed as having full control, however Domain Admins is only listed as
having read, write, execute. 


If I am to remove the "acl_xattr:ignore system acls = yes" value, the list
of users in Windows then adds CREATOR OWNER and CREATOR GROUP, as well as
changes the "DOMAIN\Domain Admins" group to have full control instead which
then allows modification of ACLs through Windows, however this goes against
what it listed within the documentation.


Additionally, if I leave the acl_xattr:ignore system acls = yes value and
then assign either my own user account "DOMAIN\bailey" (which is part of
domain admins) as the owner group, it does get set with full control and has
the ability to modify ACLs through Windows.


Curious as to why when adding the acl_xattr:ignore system acls = yes value
causes the groups assigned to the owner group of the samba share/directory
to go from full control to read write execute within Windows, would
appreciate any insight.


If I am to make a folder within the share, I am able to modify permissions
fine on that too, it just seems to be the root of the share itself which
doesn't allow for any permission assignment due to the group with
SeDiskOperatorPrivilege only displaying read write execute access despite
being given 0770 permissions on the directory.


Samba versions are 4.13.17 on Ubuntu 20.04LTS, as well as 4.15.5 on Rocky


More information about the samba mailing list