[Samba] ACLs and Windows 2000 look alike (inheritance of permissions)

Tom Dickson tdickson at inostor.com
Fri Apr 25 20:45:55 GMT 2003

Now I'm confused. What exactly does the inherit ACLs parameter do? From
simple tests, it seems to work the same with or with out it. Is there some
cases where it would be different? Does it depend on who is making the
directory? What I see is the same result with getfacl with or without this
setting. (Though now it seems to work correctly, but the last time I checked
it it didn't - does it depend on what settings you give the parent?)

ACLs confuse me, so any help is appreciated.

Thank you.


> Date: Thu, 24 Apr 2003 10:41:39 -0700
> From: "Tom Dickson" <tdickson at inostor.com>
> To: "samba mailing list" <samba at lists.samba.org>
> Subject: [Samba] ACLs and Windows 2000 look alike (inheritance of
> Message-ID: <JPECIMBMOFCBKIOOKHIOOEMJCAAA.tdickson at inostor.com>
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 35
> I've gotten samba working with ACLs over an XFS filesystem. Everything
> pretty well with knowledge of the workarounds (cannot remove group
> etc.)
> The only major problem I have is that ACLs don't inherit correctly. The
> default in Windows 2000 is to have a sub folder inherit the permissions of
> the folder it is in on creation. By default, the Samba share's folders
> do this. Is there any way to make samba by default copy all the ACLs
when A
> folder is created? It does it if you manually check the "Allow inheritable
> permissions from parent to propagate to this object" box on the Security
> page of properties.
> If there is no way to do this in Samba (I'm using 2.2.5), can it be done
> with cacls.exe or some other item?

- From the man page for smb.conf (search for inherit with /inherit)

"inherit  acls  (S)  This parameter can be used to ensure that if
default acls exist on parent directories, they are  always  hon-
ored  when  creating a subdirectory.  The default behavior is to
use the mode specified when  creating  the  directory.  Enabling
this  option  sets  the  mode  to  0777,  thus guaranteeing that
default directory acls are propagated.

Default: inherit acls = no"

Note the (S) means this is a per-share option.


More information about the samba mailing list