[Samba] SaMBa 4.16.4 adds users to ACLs as groups

Rowland Penny rpenny at samba.org
Thu Jun 15 16:01:18 UTC 2023

On 15/06/2023 16:18, Tamás Németh via samba wrote:
> Thank you for the answer.
>   I understand that default (POSIX) ACLs will lead to similar results, but
> the parent directory of this file had no default ACL, and when opening its
> properties / security dialog I also don't see any inheritance specified.
> However I can accept that SaMBa works this way and I can even see that Word
> did some deliberate ACL manipulation, but this "piling up" of ACL
> information doesn't happen either on a native Windows file server or with
> vfs_acl_xattr. And at least partially this may be the reason why using
> POSIX ACLs with SaMBa is deprecated :-(
> Best regards,
> Tamás

I think we need to identify just what you are calling 'default (POSIX) 
ACLs' actually are.

Samba uses 3 permission 'levels'

The standard Unix 'ugo' permissions

The permissions that getfacl will show, known by some as NT4-ACLs, by 
others as Posix ACLs (which never made it out of the draft stage)

Windows ACLs, stored in an EA

There are NFSv4 ACLs, but these are really only used on 'BSD' filesystems.

If you create a file on Linux, you will get a file permission string 
like this from 'ls': -rw-r--r--

getfacl would show the permissions like this:

# file: $file_NAME
# owner: adminuser
# group: adminuser

Now you can, with 'setfacl' add default permissions, are these what you 
are referring to as 'Posix ACLs' ?


More information about the samba mailing list