[Samba] Remove all Windows ACL's from files/folders

Robert Marcano robert at marcanoonline.com
Mon Mar 28 16:34:03 UTC 2022

On 3/28/22 12:28 PM, Jeremy Allison via samba wrote:
> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:
>> On 3/25/22 17:39, Jeremy Allison wrote:
>>>>> system.NTACL is the extended attribute smbd uses to
>>>>> store the Windows ACL in ndr format.
>>>> I figured this much, but am unsure about the syntax for doing this 
>>>> -- could you provide an example, please?
>>> The syntax for doing what ? smbd stores these values internally.
>>> I think samba-tool can show them.
>> I'm wondering if you mean security.NTACL, as described here:
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End 
>> as in:
>>  # getfattr -n security.NTACL -d /srv/samba/Demo/
>> samba-tool does allow you to manage this:
>>  # samba-tool ntacl set acl file [options]
>> but I can't find any examples of how this is used in either the Wiki, 
>> the man page, or the built in help. For example, what are the 
>> [options]? Does this work on directories too? Etc..
> Yes dammit :-). I keep mixing up the confusing namespaces
> on Linux, sorry :-).
> It's used as a "pristine" store of the ACL the client sent.
> If the underlying native (usually POSIX) ACL is changed outside
> of smbd then it is removed as it no longer represents reality.

This magic here explain why some time ago I tried to add a simple 
permission to a group that mapped directly to POSIX ACLs with a setfacl 
call and then notice on a Windows client that the entire Windows ACLs 
where modified.

More information about the samba mailing list