[Samba] 4.15 windows ACL share. Not taking?

Patrick Goetz pgoetz at math.utexas.edu
Wed Mar 2 17:12:30 UTC 2022

On 3/2/22 10:48, spindles seven via samba wrote:
> I am now even more confused than before!   The WiKi page for setting up the share using Windows ACLs specifically suggests that the 'acl_xattr:ignore system acls = Yes' be added to smb.conf.   And even with that line in smb.conf for the share,  I do get the + at the end of permissions.  All is working fine with my system.   So if the + is missing when this line is in smb.conf does this suggest that the Windows ACLs are not being saved?

This is something generally confusing about network filesystems that one 
of the NFS developers finally straightened me out on:

Think of it like this: your brother has 2 cookies. You want one of them, 
so you ask your mother "can I have one of Bob's cookies?"  Even if your 
mom says yes, your attainment of the cookie is dependent on Bob's 
cooperation; i.e. if Bob doesn't want to give you the cookie, you're not 
getting the cookie.

Same is true of network filesystems.  If the UNIX permissions on a file are

    drwxr-xr-x 2 root root

only the root user can write to that file. Your Windows desktop user can 
try and write to the file all day long with full permission from Windows 
ACLs (mom), but linux (Bob), the owner of the file, is going to say no 
every time. This is precisely why Samba rewrites the linux permissions 
(using POSIX ACLs, because that's currently the closest match to the 
granularity of Windows permissions).  Think of this as mom (now Samba is 
the mom) dropping the hammer on Bob and telling him "put one of those 
cookies on the counter for Roy or else!"

At least this is how NFS works, and I'm assuming that Samba works the 
same way, since anything else would be a security hole the size of Texas.

More information about the samba mailing list