Dear Guys, I have noticed that one of our domain users folder in /var/lib/samba/profiles has a '+' on the end of their username folder and all the files in their profile too. I know this is to do with ACL's and I know Samba can translate Windows ACL's to filesystem acls, but where can I find out where/how they are getting created and remove them. They should be know different then anyone else. Although, all the users are setup as Admins on their own computer, but noone else seems to be picking up or have a '+' sign on a 'ls -l' Thanks, Paul
Arnold.O.Andrews@seagate.com
2005-Jul-28 13:53 UTC
[Samba] Samba ACL and '+' on a 'ls - l'
> Dear Guys, > > I have noticed that one of our domain users folder in > /var/lib/samba/profiles has a '+' on the end of their username folder > and all the files in their profile too. > > I know this is to do with ACL's and I know Samba can translate Windows > ACL's to filesystem acls, but where can I find out where/how they are > getting created and remove them. > > They should be know different then anyone else. > > Although, all the users are setup as Admins on their own computer, but > noone else seems to be picking up or have a '+' sign on a 'ls -l' >I can only speak for what the commands to handle ACL's are for Solaris; "getfacl" (to see what the current settings on a file or directory are, and "setfacl" (to set ACL settings). If those aren't the same commands used on your Samba server's OS to handle ACL settings, try using "apropos acl" to see a list of man pages regarding acl's. Anyway, I recently found myself wanting to remove ACL settings acquired from granting permissions through windows myself. I found that I had to use "setfacl" to replace the ACL entries and reset them to standard type entries in order to lose the "+" sign (signifying that there are additional ACL entries on a file). Setting the permissions on a file or directory with "chmod" alone is not enough to clear the ACLs. Example: I have a file that has ACL's set: % ls -l acl_test -rw-r--r--+ 1 user1 usergroup 0 Jul 28 08:31 acl_test % getfacl acl_test # file: acl_test # owner: user1 # group: DGROUP user::rw- user:user2:rwx #effective:rwx group::r-- #effective:r-- mask:rwx other:r-- ( In the example above, the ACL's shown grant "user2" full access to the file, even though user2 is not the owner. Clearing the permissions from the file does not (completely) remove the ACL setting. % chmod 000 acl_test % ls -l acl_test ----------+ 1 user1 usergroup 0 Jul 28 08:31 acl_test To get rid of the "+" sign altogether, use setfacl with the -s option to reset the permission: % setfacl -s u::rw-,g::r--,o:r-- acl_test % ls -l acl_test -rw-r--r-- 1 user1 usergroup 0 Jul 28 08:31 acl_test As you can see, the ACL's have been replaced by default entries (as if chmod was the only thing that ever touched it). Hope that helps. Regards, Arnold Andrews Sr. Systems Administrator Seagate Technology