When setting a NT permission with a V1 xattr (S4 NTVFS style), the ACL does not always take presidence over the POSIX attributes. Here are two cases I've come across. There may be more. 1) Add a deny ACL for administrator on the sysvol share. The ACL denied "Full Control" for the administrator user. In practice, you'd never do this, but I was just testing. The end result was that the administrator could still use the sysvol share as usual. If I were to do the same thing with a normal user, it works as expected, and the users is denied access. 2) Create a new share. Then create a folder owned by root. Then, add 2 ACLs. The first one allowing domain admins full control. The second one allowing domain users modify access. This ACL is written in V1 format to the xattr of the share folder. If a user then logs in, and tries to connect to the share, they get an access denied. This is because the POSIX ACLs have not been updated. If I then go in as an admin on a windows computer, and add an ACL for an unrelated user(say read access for guest), it resolves the issue. Since I changed the permissions through SMB, the POSIX attributes for the ACL are correctly updated, and the original user can now access the share. Tested Samba Versions: Samba 4.0 Beta1 Tested Windows Versions: Windows XP Operating System: Ubuntu 10.04 See this thread on the samba-technical list for more details: https://lists.samba.org/archive/samba-technical/2012-June/084351.html Here are the steps I used to build samba 4. 1) Check out samba4 Beta1 2) Configure with: ./configure.developer --enable-fhs --prefix=/usr/local/ --with-syslog --with-logfilebase=/var/log/samba --enable-cups --with-pam --with-acl-support 3) Provision with: provision --realm=testdom.lan --domain=TESTDOM --adminpass=AdminPw123 --server-role=dc 4) Configure bind 9.8 do use the DLZ plugin and dynamic updates.
This is by design. For this reason 'samba-tool ntacl' calls the smbd VFS layer to change the posix ACL as well.