[Samba] 4.15 windows ACL share. Not taking?

Manu Baylac manu at pinguino.eus
Wed Mar 2 09:39:17 UTC 2022

	Hello Rowland,

	Thanks for your reply.

Le 28/02/2022 à 20:26, Rowland Penny via samba a écrit :

> Your Windows ACL is being applied, just not where you think it is. If
> you read the line, it tells you what it will do, it will ignore the
> system acls.
> Samba will potentially store permissions in three places:
> The normal Unix acl (ugo)
> An extended ACL set by 'setfacl' and shown by 'getfacl' (this is where
> the '+' comes from)
> Windows ACLs stored in an Extended attribute (aka EA)
> If you do not set 'acl_xattr:ignore system acls = yes' a best effort
> will be done to map the windows ACLs to the Unix acls, this where ugo
> and setfacl come in. If you do set it, the mapping will not be done.

Yes I read the man page, but it isn't clear for me, see below.

>> But if I comment this line and then my share is only :
>> [TEST]
>> #       acl_xattr:ignore system acl = yes
> That is not a valid line, so it will not be used, even if you uncomment
> it.
Sorry, typo, yes i have set "acls"

> Yes, but why are you adding that line (even if it is wrong) if want to
> use setfacl ?

I don't want to use setfacl, I want to use Windows ACL and configure
them from a Windows computer.
But when I read the wiki page, it says
"Samba stores the file system permissions in extended file system access
control lists (ACL) and in an extended attribute" so I thought I would
expect a "+" on the share.

I read again the wiki page but it isn't clear for me.

I did more test, and like John said in its second mail, if I just put :
         # acl_xattr:ignore system acls = yes
         path = /srv/samba/TEST/
         read only = no

All works fine.

If i uncomment the normally expected qcl_xattr line, the it fails, a
user who have permissions can't even browse the share.

Well, I'm lost :-(


More information about the samba mailing list