smbcacls support for automatic inheritance propagation

David Disseldorp ddiss at
Mon Feb 3 07:57:04 MST 2014

Hi Richard,

On Fri, 31 Jan 2014 19:54:17 -0800, Richard Sharpe wrote:

> I have not been paying attention so I have lost contact with the
> intent of these patches, but it seems impossible to replicate Windows
> ACL Inheritance behavior giving that with Windows it applies at object
> creation time, but here we are applying it after the fact.

Windows considers ACL inheritance rules at object creation time, as well
when a security descriptor applied to an existing object (e.g. via
Explorer or icacls.exe). When setting an SD via SMB, the client is
responsible for inheritance propagation.

Noel's changes are specifically addressing inheritance when an ACL is
changed via Samba's smbcacls binary, which until now has not supported
any form of inheritance propagation. It's possible to replicate Windows
behaviour in this case.

Cheers, David

More information about the samba-technical mailing list