[Samba] ...or howto change vfs_acl_xattr options inplace without changing access rights

Ralph Boehme slow at samba.org
Mon Aug 21 17:37:15 UTC 2023

On 8/21/23 18:20, Sebastian Neustein wrote:
> The storage has come a long way with various changes of the smb.conf. It 
> is possible that at the time of creation of a file/directory 
> vfs_acl_xattr was not active. This could mean that the directory does 
> not have any extended attributes written to it and ACLs are only defined 
> with POSIX ACLs. In this case I would need a trigger to write the 
> information stored in POSIX ACLs into the extended attributes. Is there 
> anything like this?

ah, I see. Well, iirc there's no existing *efficient* tool to read the 
ACL and then write it again, to make sure the storage is consistent. I 
would look into expanding samba-tool ntacl ... a bit to do the work a 
guess, but I'd have to take a closer look and do some more tinkering.

> By the way, does vfs_acl_xattr always write the extended attribute in 
> the same way, no matter if "ignore system acls" is activated or not?

Iiirc not quite. Iirc we convert the NT ACL to POSIX ACL, store it in 
the fs, convert the POSIX ACL back to an NT ACL and then store this in 
the xattr. This makes sure both ACLs are the same and use the same 
common denominator.


Meet us at Storage Developer Conference (SDC)
On 18th to 21st September 2023 in Fremont, CA
More information at https://samba.plus/events

Meet us at the conference storage2day 2023!
26th & 27th September, in Frankfurt am Main
Event on Storage Networks & Data Management
Find more info at https://samba.plus/events

Ralph Boehme, Samba Team                      https://samba.org/
SerNet Samba Team Lead                     https://sernet.de/en/
SAMBA+ Samba packages                        https://samba.plus/
SAMBA+ Webinar                 https://samba.plus/samba-webinars

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20230821/1bac22af/OpenPGP_signature.sig>

More information about the samba mailing list