Thomas Hoffmann (Speed4Trade GmbH)
2023-Mar-22 12:36 UTC
[Samba] Purpose and functionality of "acl_xattr:ignore system acls"
Hello, I am currently struggling to understand the samba share configuration "acl_xattr:ignore system acls". I followed the wiki page https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs to configure shares for windows clients. My observations so far: I start with "acl_xattr:ignore system acls=no" and create a samba share. Afterwards, I use a windows client to set the permission. For example, I allow domain user "user1" to access the share. On Linux, I can see that the POSIX ACLs are set accordingly (getfacl ...). In parallel the extended attribute "security.NTACL" is also set (getfattr ...). User1 can access the share. OK so far. After setting up the permission, it is often recommended to set "acl_xattr:ignore system acls=yes" to have better windows compatibility. If user2 also wants to have access to the share, I can add user2 via a windows client. This time, the POSIX ACLs are not changed any more. Only user1 is visible in POSIX ACLs, the adding of user2 is solely stored in the extended attribute "security.NTACL". If user2 tries to access the share, the permission is forbidden. The security property tab on windows shows permissions for user2 but as this setting is not reflected in the POSIX ACLs, the effective permission is "no permission for user2". My questions are: Is my observation correct or did I miss something? What is the purpose to set "acl_xattr:ignore system acls=yes" as the shown permission on windows is not the effective permission anymore? Thanks for any help in advance!