[Samba] 4.15 windows ACL share. Not taking?

Patrick Goetz pgoetz at math.utexas.edu
Wed Mar 2 17:00:03 UTC 2022

On 3/2/22 03:39, Manu Baylac via samba wrote:
> I don't want to use setfacl, I want to use Windows ACL and configure
> them from a Windows computer.
> But when I read the wiki page, it says
> "Samba stores the file system permissions in extended file system access
> control lists (ACL) and in an extended attribute" so I thought I would
> expect a "+" on the share.

If you're talking about "+"'s, then this means you're looking at the 
files on a linux system.  Linux doesn't understand Windows ACLs and 
won't comment on them; i.e. you won't see a "+". You will only see the 
"+" if you're using POSIX ACLs.

A second point is that attributes and ACLs are not the same thing. I'm 
not entirely sure how these things are stored, and it probably depends 
on the underlying filesystem (just learned that ZFS affords multiple 
options for how attributes are stored, for example), but you use 
different commands to set them.  For example to make a file read-only, 
even for the root user:

    chattr +i MY_IMPORTANT_FILE

will make a file immutable -- that's an attribute.

    setfacl -m g:MY_GROUP:r  MY_OTHER_FILE

gives the group MY_GROUP read access to MY_OTHER_FILE -- that's a POSIX ACL.

I completely agree that this is all insanely confusing when you throw 
Windows permissions into the mix and it would be super helpful (HINT! 
HINT!) if the algorithm used to determine these mappings were documented 
publicly so we can puzzle through the strange things that can happen.

More information about the samba mailing list