SE_DESC_DACL_PROTECTED and "map acl inherit"

John P Janosik jpjanosi at
Tue Jun 8 19:15:00 GMT 2004

I was going to recreate the time-out issue and post some more details but
of course I can't duplicate the problem.  I thought we had a trace of a
Windows client updating an ACL via the Windows gui against a win2k server
that showed that the client didn't go down the tree itself when setting the
acl.  But now when I try this against a win2k server from either winxp sp1
or win2k sp4 clients I see it go down the tree doing an "NT QUERY SEC DESC"
on each file and directory but not doing the set.  The behavior is the same
against a Samba 3.0.4 server except that the client sees the ACL doesn't
match and also does the "NT SET SEC DESC" call on each file and directory.

I would still like to see Samba set the SEC_DESC_DACL_PROTECTED flag when
"map acl inherit" is set to no so that you don't always have to go into the
advanced panel of the security settings from the win2k and xp client gui
and uncheck the "Inherit from parent" checkbox before changing an existing
ACE on an ACL.  Any comments on why this might be a bad idea?


John Janosik at wrote on
06/07/2004 03:16:54 PM:

> Would a patch that sets the SE_DESC_DACL_PROTECTED flag for ACLs when
> acl inherit" is set to no be accepted?
> Some details:  I am testing the migration of our RedHat 9 + samba 2.2.8a
> with acl support boxes to Samba 3.0.x.  I have found on large trees that
> setting an ACL on the top level and letting the Samba server propagate
> change down the tree will fail.  The client will time out because it
> expects this to a fast operation, since a Win2k server with NTFS has
> support for the inheritance in the filesystem.  I tried setting "map acl
> inherit" to no but Samba still does not set the SE_DESC_DACL_PROTECTED
> so I still get the timeouts.
> Thanks,
> John Janosik

More information about the samba-technical mailing list