When setting a NT permission with a V1 xattr (S4 NTVFS style), the ACL does not always take presidence over the POSIX attributes.
Here are two cases I've come across. There may be more.
1) Add a deny ACL for administrator on the sysvol share. The ACL
denied "Full Control" for the administrator user. In practice, you'd
never do this, but I was just testing. The end result was that the
administrator could still use the sysvol share as usual. If I were to
do the same thing with a normal user, it works as expected, and the
users is denied access.
2) Create a new share. Then create a folder owned by root. Then, add 2
ACLs. The first one allowing domain admins full control. The second
one allowing domain users modify access. This ACL is written in V1
format to the xattr of the share folder. If a user then logs in, and
tries to connect to the share, they get an access denied. This is
because the POSIX ACLs have not been updated. If I then go in as an
admin on a windows computer, and add an ACL for an unrelated user(say
read access for guest), it resolves the issue. Since I changed the
permissions through SMB, the POSIX attributes for the ACL are
correctly updated, and the original user can now access the share.
Tested Samba Versions: Samba 4.0 Beta1
Tested Windows Versions: Windows XP
Operating System: Ubuntu 10.04
See this thread on the samba-technical list for more details: https://lists.samba.org/archive/samba-technical/2012-June/084351.html
Here are the steps I used to build samba 4.
1) Check out samba4 Beta1
2) Configure with: ./configure.developer --enable-fhs
--prefix=/usr/local/ --with-syslog --with-logfilebase=/var/log/samba
--enable-cups --with-pam --with-acl-support
3) Provision with: provision --realm=testdom.lan --domain=TESTDOM
4) Configure bind 9.8 do use the DLZ plugin and dynamic updates.
This is by design. For this reason 'samba-tool ntacl' calls the smbd VFS layer to change the posix ACL as well.