[Samba] Windows ACLs

Sonic sonicsmith at gmail.com
Fri Sep 23 01:26:58 UTC 2022

On Thu, Sep 22, 2022 at 7:01 PM Bailey Allison <ballison at 45drives.com> wrote:
> When mapping the share in Windows and checking the properties of the share,
> does your Domain Admins account appear within the permissions list? If so,
> does it list it as being Full Control or Read and Execute?

The Domain Admins account appears in the list but it has no ACL rights
as shown on the security tab. None of the listed accounts has any
rights (Everyone, root, CREATOR OWNER, CREATOR GROUP, Domain Admins).
All accounts do show a checkmark of Allow for Special Permissions.
All attempts to edit the rights returns "Access is denied".
The above is the same regardless of the owner of the shared directory
or whether or not the line acl_xattr:ignore system acls = true is in
the share.

Reading through the smb.conf man page I ran across this:
       map acl inherit (S)

           This boolean parameter controls whether smbd(8) will
attempt to map the 'inherit' and 'protected' access
           control entry flags stored in Windows ACLs into an extended
attribute called user.SAMBA_PAI (POSIX ACL
           Inheritance). This parameter requires supports for extended
attributes on the filesystem and allows the
           Windows ACL editor to store inheritance information while
NT ACLs are mapped best-effort to the POSIX ACLs.
Should there be an actual file with this name as I cannot find any
file named user.SAMBA_PAI (even replacing 'user' with wildcard).


More information about the samba mailing list