'\" t .\" Title: vfs_acl_xattr .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 05/11/2023 .\" Manual: System Administration tools .\" Source: Samba 4.17.8-Debian .\" Language: English .\" .TH "VFS_ACL_XATTR" "8" "05/11/2023" "Samba 4\&.17\&.8\-Debian" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" vfs_acl_xattr \- Save NTFS\-ACLs in Extended Attributes (EAs) .SH "SYNOPSIS" .HP \w'\ 'u vfs objects = acl_xattr .SH "DESCRIPTION" .PP This VFS module is part of the \fBsamba\fR(7) suite\&. .PP The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs)\&. This enables the full mapping of Windows ACLs on Samba servers\&. .PP The ACLs are stored in the Extended Attribute \fIsecurity\&.NTACL\fR of a file or directory\&. This Attribute is \fInot\fR listed by getfattr \-d filename\&. To show the current value, the name of the EA must be specified (e\&.g\&. getfattr \-n security\&.NTACL filename)\&. .PP This module forces the following parameters: .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} inherit acls = true .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} dos filemode = true .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} force unknown acl user = true .RE .sp .RE .PP This module is stackable\&. .SH "OPTIONS" .PP acl_xattr:security_acl_name = NAME .RS 4 This option allows to redefine the default location for the NTACL extended attribute (xattr)\&. If not set, NTACL xattrs are written to security\&.NTACL which is a protected location, which means the content of the security\&.NTACL attribute is not accessible from normal users outside of Samba\&. When this option is set to use a user\-defined value, e\&.g\&. user\&.NTACL then any user can potentially access and overwrite this information\&. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS)\&. This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content\&. .RE .PP acl_xattr:ignore system acls = [yes|no] .RS 4 When set to \fIyes\fR, a best effort mapping from/to the POSIX ACL layer will \fInot\fR be done by this module\&. The default is \fIno\fR, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs\&. This is better if you need your system ACLs be set for local or NFS file access, too\&. If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility\&. .sp If \fIacl_xattr:ignore system acls\fR is set to \fIyes\fR, the following additional settings will be enforced: .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} create mask = 0666 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} directory mask = 0777 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map archive = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map hidden = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map readonly = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map system = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} store dos attributes = yes .RE .sp .RE .RE .PP acl_xattr:default acl style = [posix|windows|everyone] .RS 4 This parameter determines the type of ACL that is synthesized in case a file or directory lacks an \fIsecurity\&.NTACL\fR xattr\&. .sp When set to \fIposix\fR, an ACL will be synthesized based on the POSIX mode permissions for user, group and others, with an additional ACE for \fINT Authority\eSYSTEM\fR will full rights\&. .sp When set to \fIwindows\fR, an ACL is synthesized the same way Windows does it, only including permissions for the owner and \fINT Authority\eSYSTEM\fR\&. .sp When set to \fIeveryone\fR, an ACL is synthesized giving full permissions to everyone (S\-1\-1\-0)\&. .sp The default for this option is \fIposix\fR\&. .RE .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.