[Samba] Inherited ACLs can not be removed on Solaris10 sparc

Eli Kleinman elik at bhphotovideo.com
Tue Aug 26 00:08:08 GMT 2008


I have a problem with the removal of inheritance ACLs of subdirectories. 
It almost sounds like only adding ACLs work but removals of inheritance 
ACL's not.

By default the access rights (including ACLs) should be inherited, but 
it should also be possible to remove the access rights from any 
This is what I am trying to do, I have a share called media with some 
users / groups, all permissions from the media share (folder) is in 
inherited to any folder created below which works (below), The problem 
is when I try to remove access rights using windows XP right click 
security tab the remove doesn't work.

[root at host] # getfacl /data1/shared/media

# file: /data1/shared/media
# owner: usera
# group: root
user:userb:rwx               #effective:rwx
user:userc:rwx         #effective:rwx
group::rwx              #effective:rwx
[root at host] /data1/shared/media # getfacl New\ Folder

# file: New Folder
# owner: usera
# group: groupa
user:userb:rwx               #effective:rwx
user:userb:rwx         #effective:rwx
group::rwx              #effective:rwx
group:root:rwx          #effective:rwx
This is what I tried and didn't work, Right click on a folder as usera 
click Properties ->tab Security -> select an inheritance user click 
remove button, the following will happen the entry disappear as 
expected. then clicking the apply button the entry is back in the list, 
It looks like something is disallowing the remove of the the inherited 
access rights, I have tried the same thing with commend line using 
"setfacl -d u:userb::rwx New\ Folder" and it works without a problem, so 
I am not sure what I am doing wrong? My smb.conf is below.

Any help is greatly appreciated.

Samba version: 3.0.28 (included with Solaris10 5/08)
Using UFS file system
cat smb.conf
       workgroup = organization
       netbios name = hosta
       realm = DOMAIN.LOCAL
       server string = Samba domain (%h)
       use kerberos keytab = true

       local master = no
       domain master = no
       guest account = guestacc

       security = ADS
       host msdfs = yes

       log level = 3
       max log size = 500

;;;;;;;;;;;;;;;;;;; LDAP Section ;;;;;;;;;;;;;;;;;;;
       ;enable privileges = yes
       ldap admin dn = "cn=samba,ou=profile,dc=bnh,dc=com"
       ldap suffix = o=domain.com,dc=domain,dc=com
       passdb backend = ldapsam:"ldap://ldap1.bnh.com:389"
       ldap user suffix = ou=People
       ldap group suffix = ou=Group
       ldap machine suffix = ou=Hosts
       ldap ssl = no
;;;;;;;;;;;;;;;;;;; Printing Section ;;;;;;;;;;;;;;;;;;;
       printing = bsd
       show add printer wizard = yes
       printcap name = /etc/printers.conf
       lpq cache time = 30
       client use spnego = yes
       deadtime = 30

  comment = Media Share
  path = /data1/shared/media
  writable = yes
  create mask = 0777
  force create mode = 0777
  directory mask = 0777
  inherit permissions = Yes
  inherit acls = Yes
  inherit owner = yes

Eli Kleinman
B&H Photo Video, Inc.
420 9TH Avenue
New York, NY 10001 USA
Phone: 212-239-7500 Ext.2154
Email: elik at bhphoto.com

More information about the samba mailing list