[Samba] Remove all Windows ACL's from files/folders

Jeremy Allison jra at samba.org
Mon Mar 28 16:28:25 UTC 2022

On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:
>On 3/25/22 17:39, Jeremy Allison wrote:
>>>>system.NTACL is the extended attribute smbd uses to
>>>>store the Windows ACL in ndr format.
>>>I figured this much, but am unsure about the syntax for doing this 
>>>-- could you provide an example, please?
>>The syntax for doing what ? smbd stores these values internally.
>>I think samba-tool can show them.
>I'm wondering if you mean security.NTACL, as described here:
>as in:
>  # getfattr -n security.NTACL -d /srv/samba/Demo/
>samba-tool does allow you to manage this:
>  # samba-tool ntacl set acl file [options]
>but I can't find any examples of how this is used in either the Wiki, 
>the man page, or the built in help. For example, what are the 
>[options]? Does this work on directories too? Etc..

Yes dammit :-). I keep mixing up the confusing namespaces
on Linux, sorry :-).

It's used as a "pristine" store of the ACL the client sent.
If the underlying native (usually POSIX) ACL is changed outside
of smbd then it is removed as it no longer represents reality.

More information about the samba mailing list