[Samba] Remove all Windows ACL's from files/folders
Robert Marcano
robert at marcanoonline.com
Mon Mar 28 16:34:03 UTC 2022
On 3/28/22 12:28 PM, Jeremy Allison via samba wrote:
> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:
>>
>>
>> On 3/25/22 17:39, Jeremy Allison wrote:
>>>>>
>>>>> system.NTACL is the extended attribute smbd uses to
>>>>> store the Windows ACL in ndr format.
>>>>
>>>> I figured this much, but am unsure about the syntax for doing this
>>>> -- could you provide an example, please?
>>>
>>> The syntax for doing what ? smbd stores these values internally.
>>> I think samba-tool can show them.
>>
>> I'm wondering if you mean security.NTACL, as described here:
>>
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End
>>
>>
>> as in:
>>
>> # getfattr -n security.NTACL -d /srv/samba/Demo/
>>
>> samba-tool does allow you to manage this:
>>
>> # samba-tool ntacl set acl file [options]
>>
>> but I can't find any examples of how this is used in either the Wiki,
>> the man page, or the built in help. For example, what are the
>> [options]? Does this work on directories too? Etc..
>
> Yes dammit :-). I keep mixing up the confusing namespaces
> on Linux, sorry :-).
>
> It's used as a "pristine" store of the ACL the client sent.
> If the underlying native (usually POSIX) ACL is changed outside
> of smbd then it is removed as it no longer represents reality.
>
This magic here explain why some time ago I tried to add a simple
permission to a group that mapped directly to POSIX ACLs with a setfacl
call and then notice on a Windows client that the entire Windows ACLs
where modified.
More information about the samba
mailing list