[Samba] Remove all Windows ACL's from files/folders

Gregory Sloop gregs at sloop.net
Mon Mar 28 16:36:16 UTC 2022

> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:

>> On 3/25/22 17:39, Jeremy Allison wrote:

>>>>> system.NTACL is the extended attribute smbd uses to
>>>>> store the Windows ACL in ndr format.

>>>> I figured this much, but am unsure about the syntax for doing this >>>-- could you provide an example, please?
>>> The syntax for doing what ? smbd stores these values internally.
>>> I think samba-tool can show them.
>> I'm wondering if you mean security.NTACL, as described here:

>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End

>> as in:
>>  # getfattr -n security.NTACL -d /srv/samba/Demo/
>> samba-tool does allow you to manage this:
>>  # samba-tool ntacl set acl file [options]
>> but I can't find any examples of how this is used in either the Wiki, >the man page, or the built in help. For example, what are the >[options]? Does this work on directories too? Etc..

> Yes dammit :-). I keep mixing up the confusing namespaces
> on Linux, sorry :-).

> It's used as a "pristine" store of the ACL the client sent.
> If the underlying native (usually POSIX) ACL is changed outside
> of smbd then it is removed as it no longer represents reality.
That's new information I didn't know.
So, simply doing a chmod/chown in Linux would be enough to fully reset/remove all Samba (Windows set) ACL's on a file or directory, right?

More information about the samba mailing list