Caponato's Notebook

Extended attributes are divided into several namespaces, including:

• user.: For user-defined attributes.
• trusted.: For attributes that can only be accessed by the kernel or processes with CAP_SYS_ADMIN capability.
• security.: For security-related attributes.

By default, the user. namespace is used. To specify a different namespace, you just change the prefix of your command.

If you want to list only the names of the extended attributes without their values, you can use the -e option with getfattr:

getfattr -e hex -m - config.txt 
# file: config.txt
security.NTACL
system.posix_acl_access
user.DOSATTRIB
user.SAMBA_PAI

To view the extended attributes of a file, you can use the getfattr command. This will display the extended attributes associated with filename.

getfattr -d getfattr -d config.txt 
# file: config.txt
user.DOSATTRIB=0sAAAFAAUAAAARAAA[...]
user.SAMBA_PAI=0sAgSMBgAAAAABECc[...]

See how security and system xttr attributes have not been displayed. Let show them:

getfattr -d -m -  config.txt 
# file: config.txt
security.NTACL=0sBAAEAAAAAgAEAAIAAQBPZDK[...]
system.posix_acl_access=0sAgAAAAEABwD///[...]
user.DOSATTRIB=0sAAAFAAUAAAARAAAAAAAAAAk[...]
user.SAMBA_PAI=0sAgSMBgAAAAABECcAAAAAFcA[...]

Samba uses the security.NTACL extended attribute (EA) to store Windows NTFS Access Control Lists (ACLs) on Linux filesystems. This feature allows Samba to maintain Windows-style file permissions when sharing files between Linux and Windows systems

Using extended attributes with Samba provides a robust and flexible way to manage file permissions and metadata in mixed-OS environments. It offers better compatibility with Windows systems and enhanced security features compared to traditional Linux ACLs.

• Samba can map Windows NTFS security descriptors to Linux extended attributes. This ensures that file permissions and attributes are maintained when sharing files between Windows and Linux systems.
• This mapping helps provide consistent security policies across different platforms, reducing confusion and potential security risks.
• EAs allow for more granular and flexible permission settings. Unlike traditional Unix/Linux ACLs, which are primarily focused on owner, group, and others, EAs can store complex security descriptors that define specific access rights for multiple users and groups
• EAs can store additional metadata beyond standard file permissions, such as timestamps, user comments, or application-specific data. This can be important for applications that rely on specific metadata for functionality.

The acl_xattr module in Samba is used to store Windows NTFS Access Control Lists (ACLs) as extended attributes on Linux filesystems. This helps maintain compatibility between Windows and Linux permissions.

To use EAs with Samba, you need to configure your Samba configuration file (smb.conf).

The vfs objects = acl_xattr option tells Samba to use the acl_xattr module, which maps Windows ACLs to extended attributes.

vfs objects = acl_xattr

The map acl inherit = yes option ensures that inherited permissions from Windows are properly handled.

map acl inherit = yes

Samba will additionally try to map on a “Best Effort” basis, the EAs containing Windows ACLs and the underlying Linux ACLs. This is an overhead for the system running Samba.

One of the options available for configuring this module is acl_xattr:ignore system acls, which can be set to yes or no.

If Linux ACLs compatibility is not needed, (no users login - ssh - into the Samba machine) by configuring acl_xattr:ignore system acls = yes, Samba provides a streamlined and consistent approach to handling permissions in environments that rely heavily on Windows ACLs, ensuring that the behavior seen by Windows clients matches their expectations without interference from underlying Linux ACLs.

If this is the case, after successful configuration of your share. you can safely have

acl_xattr:ignore system acls = yes

Caponato's Samba notebook. Start here or else Main menu