[Samba] Default POSIX ACLs masking later permission edits

[Timothy Pearson]

Hello,

I have recently set up a Samba based file server running 3.0.27a.  This file server is part of a Windows 2003 domain, with ACL and extended attribute support enabled, and appears to be functioning properly except for one critical issue with the ACLs.

When I try to edit the permissions of a file through Windows, the default POSIX ACL that I set up on the filesystem seems to be masking off any future permission edits.  My default ACL (set with setfacl) is to allow full control to the domain group "domain users".  If I then try to remove the full control permission from a Windows XP workstation, leaving only the read permission set, as soon as I click Apply the full control permission comes back!

Using setfacl I am able to remove the offending entries, but as soon as I try to edit a different permission through a Windows client, they come back.

Is this the correct behavior?  I have been unable to find any information on this type of issue.  If this is correct, could someone please suggest a means to apply a default ACL only when files or directories are created, and then allow full permissions editing at a later date?  I would not have set a default ACL at all, except for the fact that newly created files are inaccessable without first setting permissions.

Thank you,

Timothy Pearson