[Samba] Windows ACLs

Rowland Penny rpenny at samba.org
Mon Oct 3 19:31:46 UTC 2022

On 03/10/2022 20:17, Peter Carlson via samba wrote:
> On 10/3/22 11:11, Rowland Penny via samba wrote:
>> Remember what I said about 'acl_xattr:ignore system acls = yes', well 
>> I think this could be the problem, a bit of a chicken and egg problem. 
>> Until you set the permissions from Windows, it is likely that there 
>> are no Windows permissions and because you have set the above line, 
>> you cannot get permission to set them. So try removing the 
>> 'acl_xattr:ignore system acls = yes' line and try again.
>> Rowland
> This did the trick to get permissions set on the share. It is set for 
> Domain Admins and Domain Users as Full Control.   I can now connect to 
> the server as a domain admin and domain user and create a folder and 
> text file in each folder.  So that's awesome.  Couple of things I noted 
> which are still outstanding:
> 1.  new folders are created with Read only set, whether created by 
> member of domain admin or domain user.  I would normally use directory 
> mask and create mask to control this, but since this is all now 
> controlled with windows ACLs, I'm not sure how to set a default mask (or 
> the default group for that matter, peter is a member of Linux Admins, 
> Domain Admins and Domain Users)

Glad you got the permissions set, I will update the wiki.

Without that line, you will now have three sets of permissions in play:

A) the standard Linux ugo permissions that 'ls' can show
B) the extended acls that 'getfacl' will show
C) the permissions that you have set from Windows and are stored in an EA

Linux will use A & B, Windows will use C if set and if set (without the 
'acl_xattr' line), then the Windows permissions will effect the extended 
acls, if not set, then A & B will be ignored. You can find more about 
this in 'man vfs_acl_xattr'


More information about the samba mailing list