[Samba] SMB Windows ACL functionality

Rowland Penny rpenny at samba.org
Tue Jul 12 15:21:52 UTC 2022

On Tue, 2022-07-12 at 17:08 +0200, Ralph Boehme wrote:
> On 7/12/22 16:43, Rowland Penny via samba wrote:
> > it also looks like you should set 'acl_xattr:ignore system acls =
> > yes'
> > on the shares if setting permissions from Windows, but only if you
> > also
> > set a user.map and never change the permissions as Administrator.
> please be extra careful there,  as this very much sounds more like
> bugs 
> then expected behaviour...
> Thanks!
> -slow

It could well be bugs, but this is what is happening. You get different
output from samba-tool if you set 'acl_xattr:ignore system acls = yes'
on one share but not another and map Administrator to root with a
user.map and change the permissions as DOMAIN\Administrator on WIN10.
Doing the changes as an admin user gives the same output.

The opposite happens if you do not map Administrator to root,
Administrator cannot change anything, but an admin user can, but you
get different output from samba-tool.

As you know, someone wants to stop mapping Administrator to root, can
you now see why I am against this.


More information about the samba mailing list