[Samba] ACLs and Windows 2000 look alike (inheritance of perm issions)

Noel Kelly nkelly at citrusnetworks.net
Sat Apr 26 08:11:31 GMT 2003

It might help if you view the default directory ACLs using the getfacl
utility.  These are what will be inherited by stuff created in the lower

I would ask yourself if you actually need ACLs at all.  The Samba share
permissions are pretty thorough and life is far easier without ACLs as you
can clearly see what permissions are in use and backups are not an issue.
ACLs can quickly become out of control and difficult to manage/backup.  If
you do have a definite requirements for ACLs then I would consider
restricting their use to only those shares which require them.


-----Original Message-----
From: Tom Dickson [mailto:tdickson at inostor.com]
Sent: Friday, April 25, 2003 9:46 PM
To: samba mailing list
Subject: RE: [Samba] ACLs and Windows 2000 look alike (inheritance of

Now I'm confused. What exactly does the inherit ACLs parameter do? From
simple tests, it seems to work the same with or with out it. Is there some
cases where it would be different? Does it depend on who is making the
directory? What I see is the same result with getfacl with or without this
setting. (Though now it seems to work correctly, but the last time I checked
it it didn't - does it depend on what settings you give the parent?)

ACLs confuse me, so any help is appreciated.

Thank you.


> Date: Thu, 24 Apr 2003 10:41:39 -0700
> From: "Tom Dickson" <tdickson at inostor.com>
> To: "samba mailing list" <samba at lists.samba.org>
> Subject: [Samba] ACLs and Windows 2000 look alike (inheritance of
> Message-ID: <JPECIMBMOFCBKIOOKHIOOEMJCAAA.tdickson at inostor.com>
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 35
> I've gotten samba working with ACLs over an XFS filesystem. Everything
> pretty well with knowledge of the workarounds (cannot remove group
> etc.)
> The only major problem I have is that ACLs don't inherit correctly. The
> default in Windows 2000 is to have a sub folder inherit the permissions of
> the folder it is in on creation. By default, the Samba share's folders
> do this. Is there any way to make samba by default copy all the ACLs
when A
> folder is created? It does it if you manually check the "Allow inheritable
> permissions from parent to propagate to this object" box on the Security
> page of properties.
> If there is no way to do this in Samba (I'm using 2.2.5), can it be done
> with cacls.exe or some other item?

- From the man page for smb.conf (search for inherit with /inherit)

"inherit  acls  (S)  This parameter can be used to ensure that if
default acls exist on parent directories, they are  always  hon-
ored  when  creating a subdirectory.  The default behavior is to
use the mode specified when  creating  the  directory.  Enabling
this  option  sets  the  mode  to  0777,  thus guaranteeing that
default directory acls are propagated.

Default: inherit acls = no"

Note the (S) means this is a per-share option.


To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list