When using smbcacls to restore the acl on a file which is located on a smba share I noticed that smbcacls sometimes removes the file acle mask. Example: Looking at the file on the share with getfacl cubiq-testbox:/tmp# getfacl acltest # file: acltest # owner: KIC\134administrator # group: KIC\134domain\040users user::rw- group::r-- mask::rw- other::r-- Retrieving the acls of the file with smbcacls cubiq-testbox:/tmp# /usr/local/samba/bin/smbcacls //localhost/tmp acltest -U cube%henrik --numeric REVISION:1 OWNER:S-1-5-21-1291655818-2083803856-2975106597-500 GROUP:S-1-5-21-1291655818-2083803856-2975106597-513 ACL:S-1-5-21-1291655818-2083803856-2975106597-500:0/0/0x0012019f ACL:S-1-5-21-1291655818-2083803856-2975106597-513:0/0/0x00120089 ACL:S-1-1-0:0/0/0x00120089 Setting the ACLs using the retrieved ACLs. cubiq-testbox:/tmp# /usr/local/samba/bin/smbcacls //localhost/tmp acltest -U cube%henrik -S 'REVISION:1,OWNER:S-1-5-21-1291655818-2083803856-2975106597-500,GROUP:S-1-5-21-1291655818-2083803856-2975106597-513,ACL:S-1-5-21-1291655818-2083803856-2975106597-500:0/0/0x0012019f,ACL:S-1-5-21-1291655818-2083803856-2975106597-513:0/0/0x00120089,ACL:S-1-1-0:0/0/0x00120089' Looking at the file with getfacl shows that the mask is removed. cubiq-testbox:/tmp# getfacl acltest # file: acltest# owner: KIC\134administrator # group: KIC\134domain\040users user::rw- group::r-- other::r-- I can somewhat understand why this is happening as the smbcacls retrieves the ACLs based on effective permissions ignoring if the are sat by the mask or the specific users permissions. When set back the effective permissions are the same but the original ACL are not the same as the mask has been removed. I know that the term mask is not use the same way on Windows system and there it probably works as expected but using as Samba server on a Linux filesystem should be able to handle the mask attribute better. Regards, Henrik
Sorry for reposting so soon but I noticed that these examples are a little bit clearer as you can see the effective perms. Original.... cubiq-testbox:/tmp# getfacl acltest # file: acltest # owner: KIC\134administrator # group: KIC\134domain\040users user::rw- group::r-- #effective:--- mask::--- other::r-- Setting... cubiq-testbox:/tmp# /usr/local/samba/bin/smbcacls //localhost/tmp acltest -U cube%henrik -M'REVISION:1,OWNER:S-1-5-21-1291655818-2083803856-2975106597-500,GROUP:S-1-5-21-1291655818-2083803856-2975106597-513,ACL:S-1-5-21-1291655818-2083803856-2975106597-500:0/0/0x0012019f,ACL:S-1-5-21-1291655818-2083803856-2975106597-513:0/0/0x00000000,ACL:S-1-1-0:0/0/0x00120089' Result... cubiq-testbox:/tmp# getfacl acltest # file: acltest# owner: KIC\134administrator # group: KIC\134domain\040users user::rw- group::--- other::r--
the acl mask is not used in the Windows ACL world, not even all Unices have the concept of ACL masks. I think if you set ACLs via SMB then it is just straight forward right to expect and work with effective ACLs only. Jeremy, you agree or do you see any misbehaviour here?
Nope, looks correct to me - using minimal required perm settings (if you only have user,group,world settings the mask is simply not required). Jeremy.