samba - Jul 2005 - Samba ACL and '+' on a 'ls - l'

Dear Guys,

I have noticed that one of our domain users folder in
/var/lib/samba/profiles has a '+' on the end  of their username folder
and all the files in their profile too.

I know this is to do with ACL's and I know Samba can translate Windows
ACL's to filesystem acls, but where can I find out where/how they are
getting created and remove them.

They should be know different then anyone else.

Although, all the users are setup as Admins on their own computer, but
noone else seems to be picking up or have a '+' sign on a 'ls
-l'

Thanks,

Paul

> Dear Guys,
>
> I have noticed that one of our domain users folder in
> /var/lib/samba/profiles has a '+' on the end  of their username
folder
> and all the files in their profile too.
>
> I know this is to do with ACL's and I know Samba can translate Windows
> ACL's to filesystem acls, but where can I find out where/how they are
> getting created and remove them.
>
> They should be know different then anyone else.
>
> Although, all the users are setup as Admins on their own computer, but
> noone else seems to be picking up or have a '+' sign on a 'ls
-l'
>
I can only speak for what the commands to handle ACL's are for Solaris;
"getfacl" (to see what the current settings on a file or directory
are, and
"setfacl" (to set ACL settings).

If those aren't the same commands used on your Samba server's OS to
handle
ACL settings, try using "apropos acl" to see a list of man pages
regarding
acl's.

Anyway, I recently found myself wanting to remove ACL settings acquired
from granting permissions through windows myself.  I found that I had to
use "setfacl" to replace the ACL entries and reset them to standard
type
entries in order to lose the "+" sign (signifying that there are
additional
ACL entries on a file).

Setting the permissions on a file or directory with "chmod" alone is
not
enough to clear the ACLs.

Example:  I have a file that has ACL's set:

% ls -l acl_test
-rw-r--r--+  1 user1    usergroup         0 Jul 28 08:31 acl_test

% getfacl acl_test

# file: acl_test
# owner: user1
# group: DGROUP
user::rw-
user:user2:rwx                #effective:rwx
group::r--              #effective:r--
mask:rwx
other:r--

( In the example above, the ACL's shown grant "user2" full access
to the
file, even though user2 is not the owner.

Clearing the permissions from the file does not (completely) remove the ACL
setting.

% chmod 000 acl_test
% ls -l acl_test
----------+  1 user1    usergroup         0 Jul 28 08:31 acl_test

To get rid of the "+" sign altogether, use setfacl with the -s option
to
reset the permission:

% setfacl -s u::rw-,g::r--,o:r-- acl_test
% ls -l acl_test
-rw-r--r--   1 user1    usergroup         0 Jul 28 08:31 acl_test


As you can see, the ACL's have been replaced by default entries (as if
chmod was the only thing that ever touched it).

Hope that helps.

Regards,

Arnold Andrews
Sr. Systems Administrator
Seagate Technology