[Samba] Remove all Windows ACL's from files/folders

Patrick Goetz pgoetz at math.utexas.edu
Mon Mar 28 20:36:52 UTC 2022

On 3/28/22 11:43, Jeremy Allison via samba wrote:
>>> It's used as a "pristine" store of the ACL the client sent.
>>> If the underlying native (usually POSIX) ACL is changed outside
>>> of smbd then it is removed as it no longer represents reality.
>> That's new information I didn't know.
>> So, simply doing a chmod/chown in Linux would be enough to fully 
>> reset/remove all Samba (Windows set) ACL's on a file or directory, right?
> Yes. We store a hash of the existing mapping from
> Windows ACL -> POSIX ACL i.e. perms also. If you
> change the POSIX ACL or perms outside of smbd the
> hash no longer matches so we can't trust it.

I take it that recomputing the hash on filesystem objects when accessed 
would create too great of a performance hit?

What might be useful is a command to explicitly reset Windows ACLs based 
on the configured POSIX ACLs.  The other direction is already handled by 

I'm in the process of transferring a research lab from an old Samba-3 
based VM to a bare metal server running Samba 4. Previously with Samba 3 
linux and Windows permissions were tightly coupled and they have been 
using local users and groups for everything.  I'm trying to switch them 
over to Active Directory users and AD security groups.

This means mapping

   local users --> AD users
   local groups --> Security groups

for every file and directory on the server.  They have lots of users and 
groups and quite a bit of data, 60TB. Trying to reset permissions from 
windows GUI would be basically impossible.

So my plan is to transfer the data to the new server and then run a 
script that recurses through the filesystem, changing user and group 
ownership. I think the basic unix permissions are respected (sort of), 
but this means I can't attempt to use POSIX ACLs to simplify their 
permissions setup, because these won't be recognized on Windows, where 
they do a lot of their work.  Having a command to set Windows ACLs from 
POSIX ACLs would be handy in this case.

More information about the samba mailing list