[Samba] Remove all Windows ACL's from files/folders

Patrick Goetz pgoetz at math.utexas.edu
Tue Mar 29 13:43:26 UTC 2022

Hi Ralph -

On 3/29/22 03:24, Ralph Boehme wrote:
> On 3/28/22 22:36, Patrick Goetz via samba wrote:
>> So my plan is to transfer the data to the new server and then run a 
>> script that recurses through the filesystem, changing user and group 
>> ownership. I think the basic unix permissions are respected (sort of), 
>> but this means I can't attempt to use POSIX ACLs to simplify their 
>> permissions setup, because these won't be recognized on Windows, where 
>> they do a lot of their work.  Having a command to set Windows ACLs 
>> from POSIX ACLs would be handy in this case.
> iirc Björn is working on such a feature for samba-tool.
> But it also looks like Jeremy and you talk past each other.
> We *do* store a hash of the underyling permissions, including POSIX ACL, 
> in our xattr. We *do* check whether the underyling permissions have 
> changed by hasing the current permissions and comparing against the 
> stored hash. We *do* discard the stored NT ACL in case both don't match 
> and go back to building a new NT ACL based on the underlying permissions.
> Does that clarify things? Or evantually I missed something in the 
> discussion that I didn't follow closely from the start, just chiming in. :)

Yes, this clarifies things considerably and makes a lot more sense.

My nightmare use case is an archivist group with very deeply nested 
directory structures, where, for some subdirectories uploaded by an 
external user prior to the machine being bound to the Samba AD, the 
users are unable to edit files even though the linux permissions look 
fine. I tried resetting permissions from Windows, but that just crashes, 
and I can't even see what the Windows permissions are for these deep 
subdirectories, because the Security tab is missing from Properties, 
likely because File Explorer doesn't support long paths.  There's 
probably some way to do this with Powershell.

Your comment suggests that I might be able to fix this by recursively 
resetting all the POSIX ACLs on linux for the entire filesystem, which 
would be great. If that fails, I'll have to develop some more Powershell 

> -slow
> This message is from an external sender. Learn more about why this 
> matters. <https://ut.service-now.com/sp?id=kb_article&number=KB0011401>

More information about the samba mailing list