[Samba] Remove all Windows ACL's from files/folders

Jeremy Allison jra at samba.org
Mon Mar 28 16:43:39 UTC 2022

On Mon, Mar 28, 2022 at 09:36:16AM -0700, Gregory Sloop via samba wrote:
>> On Sat, Mar 26, 2022 at 11:18:39AM -0500, Patrick Goetz wrote:
>>> On 3/25/22 17:39, Jeremy Allison wrote:
>>>>>> system.NTACL is the extended attribute smbd uses to
>>>>>> store the Windows ACL in ndr format.
>>>>> I figured this much, but am unsure about the syntax for doing this >>>-- could you provide an example, please?
>>>> The syntax for doing what ? smbd stores these values internally.
>>>> I think samba-tool can show them.
>>> I'm wondering if you mean security.NTACL, as described here:
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End
>>> as in:
>>>  # getfattr -n security.NTACL -d /srv/samba/Demo/
>>> samba-tool does allow you to manage this:
>>>  # samba-tool ntacl set acl file [options]
>>> but I can't find any examples of how this is used in either the Wiki, >the man page, or the built in help. For example, what are the >[options]? Does this work on directories too? Etc..
>> Yes dammit :-). I keep mixing up the confusing namespaces
>> on Linux, sorry :-).
>> It's used as a "pristine" store of the ACL the client sent.
>> If the underlying native (usually POSIX) ACL is changed outside
>> of smbd then it is removed as it no longer represents reality.
>That's new information I didn't know.
>So, simply doing a chmod/chown in Linux would be enough to fully reset/remove all Samba (Windows set) ACL's on a file or directory, right?

Yes. We store a hash of the existing mapping from
Windows ACL -> POSIX ACL i.e. perms also. If you
change the POSIX ACL or perms outside of smbd the
hash no longer matches so we can't trust it.

More information about the samba mailing list