[Samba] ACL Propagation problem

alaslavic at havertys.com alaslavic at havertys.com
Thu Jun 10 14:11:56 GMT 2004





Using Samba 3.0.2a with acl support.  My problem is as follows:

When using the Windows ACL editor (security tab in folder properties) on a
folder, if you set the check boxes for full control (or any combination or
permissions) for a user, the Posix acl's are set for both the user, and the
default user.  This in itself is fine, because it causes newly created
folders, and files to inherit access ACL's based on the Default ACL above
it.

My problem is that if you change the permissions on a folder (again, from
windows), say, adding  a new user to the ACL (and thus adding both an
Access and Default POSIX ACL), the new ACL (and all other ACL's on the
folder) will propagate down to all the subdirectories (I didn't have
"replace permissions on subdirectories" checked in windows).  This means
that if there were a folder beneath the one being edited that had stricter
security, the security would be opened up to anyone on the higher level
ACL.

This behavior does not happen if I use "setfacl" to set the same ACL's, it
only happens with the windows ACL editor.

My smb.conf is quite long, but here are what I think the important
directives are:

        nt acl support = Yes
        inherit permissions = No
        inherit acls = No
        map acl inherit = Yes or No  (didn't matter to this problem)

Didn't see anything in the changelogs for Samba that suggest that upgrading
will help me, but I will upgrade if that will fix it.  Any other solutions
will be welcomed with a hearty "thanks!".



Alex Laslavic
Havertys Tech Services



More information about the samba mailing list