[Samba] Remove all Windows ACL's from files/folders

Jeremy Allison jra at samba.org
Tue Mar 29 21:12:14 UTC 2022

On Tue, Mar 29, 2022 at 01:49:55PM -0700, Greg Sloop <gregs at sloop.net> wrote:
>But, you just said that if I'm using "acl_xattr:ignore system acls = yes"
>it ignores system/posix permissions, right?

Samba is a Linux process. Unless it permanently runs as root
(which you don't want) then it *can't* ignore system permissions.
When impersonating the client uid/gid-list, that id token must
be allowed file system permissions on the target directory/files.

>(And that's what the docs appear to show - that it will force the directory
>mask to 0777 and the create mask to 0666.)

create mask = 0666
directory mask = 0777

are *masks* applied to the permissions. To force permissions
to be set, you need:

force create mode
force directory mode

To have Samba always create with directory = 0777,
file = 0666 then use:

force directory mode = 0777
force create mode = 0666

>But in any case, here's the output of getfacl.
>getfacl: Removing leading '/' from absolute path names
># file: abc-zfs-01/ad-shared-folders/shared-files
># owner: root
># group: AD\\domain\040admins
># flags: -s-
>r-x for "Other" should let the user "ad\gs" at least enter/view the
>directory/share, right?
>Which doesn't work.

Yes, to chdir into a directory, r-x should be enough.

If it isn't working, ensure it's accessible by doing:

sudo -u "ad\gs" -g <group you expect" bash

and then cd into abc-zfs-01/ad-shared-folders/shared-files.

See if it works.

More information about the samba mailing list