Author Topic: Troubles with NTACL xattr  (Read 1266 times)


  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Troubles with NTACL xattr
« on: November 11, 2014, 10:21:35 pm »
In a shared directory, I was facing the problem that some files or folders were not accessible from Windows. On the server side, ownership and ALCs were all OK. After a lot of efforts trying to find out why I was able to access file A and not file B, while both had exactly same permissions, I finally found that the file I was not able to access had security.NTACL xattr, while the accessible file has not.

after issuing the command:
xattr -d security.NTACL file\ B
I finally was able to access file B.

I'm now on Zentyal 4.0, but the server was successively upgraded from Zentyal 3.1, 3.2, 3.3, 3.4, 3.5... It is possible the corrupted NTACL was introduced by an other version, or by an upgrade process...

Hopefully, my problem now seems to be resolved. Am I the only one who had this problem? Did anybody know what could cause NTACL attribute to be corrupted?

Thank you,



  • Zen Monk
  • **
  • Posts: 57
  • Karma: +1/-0
    • View Profile
Re: Troubles with NTACL xattr
« Reply #1 on: January 21, 2015, 11:05:59 am »
I have no idea how it happened but I have a "clean" 3.2 installation which had a file I also could mysteriously not access. Despite searching the forums which recommended the use of setacl and getacl I could not access the file or take ownership etc.

I eventually found the samba-tool get/setacl utilities which enabled me to do the following:
Code: [Select]
NTACLS=(< `samba-tool ntacl get /home/samba/shares/path/to/file/to/copy/ntacls/from --as-sddl`)
samba-tool ntacl set $NTACLS /home/samba/shares/path/to/file/to/overwrite/ntacls

This reset the permissions and I was able to continue with my day.


  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Troubles with NTACL xattr
« Reply #2 on: November 24, 2016, 02:13:33 am »
Just wanted to post my experience in case it helps anybody else. For unknown reasons I wasn't able to use samba-tool to reset the security.NTACL xattr so I used setfattr instead by copying from the 'good' file or directory:

Code: [Select]
# Capture the NTACL attribute from the good file or directory
ACL=$(getfattr -e base64 -n security.NTACL /path/to/good/file_or_directory)
# Strip off the headers so that the ACL variable only holds the base64 value
# Set security.NTACL on the bad file or directory
setfattr -n security.NTACL -v $ACL /path/to/bad/file_or_directory

In my case there was a whole tree with an unknown number of bad NTACLs, so I used 'find' to reset everything:
Code: [Select]
cd /root/of/bad/tree
# Use steps above to set DIRACL and FILEACL from good directory and good file
find . -type d -exec setfattr -n security.NTACL -v $DIRACL "{}" \;
find . -type f -exec setfattr -n security.NTACL -v $FILEACL "{}" \;

In the end, everything in the tree had the same 'good' permissions and was fully accessible from Windows.


  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Troubles with NTACL xattr
« Reply #3 on: May 25, 2019, 06:02:33 pm »

only to comment that both solutions worked well to fix the problem with the ACLs.
but, the second is better, because the samba-tool connect via network and is more slow than setfattr.