[Samba] Remove all Windows ACL's from files/folders

Patrick Goetz pgoetz at math.utexas.edu
Sat Mar 26 16:18:39 UTC 2022

On 3/25/22 17:39, Jeremy Allison wrote:
>>> system.NTACL is the extended attribute smbd uses to
>>> store the Windows ACL in ndr format.
>> I figured this much, but am unsure about the syntax for doing this -- 
>> could you provide an example, please?
> The syntax for doing what ? smbd stores these values internally.
> I think samba-tool can show them.

I'm wondering if you mean security.NTACL, as described here:


as in:

   # getfattr -n security.NTACL -d /srv/samba/Demo/

samba-tool does allow you to manage this:

   # samba-tool ntacl set acl file [options]

but I can't find any examples of how this is used in either the Wiki, 
the man page, or the built in help. For example, what are the [options]? 
Does this work on directories too? Etc..

Not sure I understand the relevance of ndr format, but sddl is rather 
complicated and seems to be poorly documented (even by Microsoft).  For 
example what is the right SDDL_NO_READ_UP anyway?  Who knows!  What is 
the ace_type SDDL_SCOPED_POLICY_ID?  Again, who knows? I can't find any 
documentation on this. Microsoft seems to think their naming convention 
is self-documenting. I feel more comfortable saying this after having 
just read through 3 books on Windows administration, all equally vague 
and incomplete on these issues.

Louis did helpfully provide some examples in a recent post, but what's 
needed here are some canonical use case examples.  This:
is only useful as a reference for people who already know how this 
works; otherwise it's a textbook example of how not to write 
documentation; a perfect illustration of what you get in the Cathedral 
rather than at the Bazaar, where your holiness grants you nothing.

Since it's clearly up to linux to get Windows ACLs done right, I will be 
attempting to revisit this in the next couple of months, hopefully with 
some useful documentation.


More information about the samba mailing list