[Samba] map acl inherit

Rowland Penny rpenny at samba.org
Thu Jan 11 11:23:36 UTC 2024 

On Thu, 11 Jan 2024 11:57:02 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:

> Morning all.
> 
> I am reading trough
> 
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
> 
> As I was curious what exactly 'map acl inherit' does.
> 
> "This boolean parameter is only relevant for systems that do not
> support standardized NFS4 ACLs but only a POSIX draft implementation
> of ACLs. Linux is the only common UNIX system which does still not
> offer standardized NFS4 ACLs actually.
> 
> On such systems this parameter controls whether smbd(8) will attempt
> to map the 'protected' (don't inherit) flags of the Windows ACLs into
> an extended attribute called user.SAMBA_PAI (POSIX draft ACL
> Inheritance).
> 
> This parameter requires support for extended attributes on the
> filesystem and allows the Windows ACL editor to store
> (non-)inheritance information while NT ACLs are mapped best-effort to
> the POSIX draft ACLs that the OS and filesystem implements. Default:
> map acl inherit = n"
> 
> It is recommended
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> As part of the “Enable Extended ACL Support on a Unix Domain member"
> 
> What are the "protected' (don't inherit) flags of the Windows ACLs” ?

You could start by reading this:

https://learn.microsoft.com/en-us/windows/win32/secauthz/ace-strings

> 
> I don’t have this parameter (map acl inherit = yes) set in my member
> server (Debian 12), and it works with no noticeable issues that I’m
> aware. What am I missing ?

If you have:

vfs objects = acl_xattr

set in your smb.conf, then I would add the line to your smb.conf

> 
> If I don’t use this parameter and suddenly turn it on, what are the
> consequences ?

If you are also using acl_xattr (which you should), then it makes
everything work just that bit better. .

> 
> How does this relate to 'acl_xattr:ignore system acls = yes’ - if at
> all? My users only use Windows to access server. I have this line
> commented out, so default is ’no’.

That does what it says, by default, Samba will reset the system acls
(ugo) if the Windows ACLs are changed, this can allow local access on
the server, but if you set it to 'yes', then Samba will not reset the
local acls if the Windows permissions are changed

I suggest you read 'man vfs_acl_xattr'

Rowland

More information about the samba mailing list