[Samba] Inherited ACLs can not be removed

Thu Jun 12 14:51:53 GMT 2008

Hi,

I have a problem with the inheritance of ACLs, respectively the removal of the 
inherited ACLs in subdirectories. The following szenario:

By default the access rights (including ACLs) should be inherited, but it 
should also be possible to remove the access rights from any subdirectory. 
Therefore I've set up the following configuration:

[Finanzen]
path = /shares/finanzen
msdfs root = no
writeable = yes
browseable = yes
public = no
create mode = 0744
directory mode = 0755
force create mode = 00
force directory mode = 00
security mask = 0777
directory security mask = 0777
force security mode = 00
force directory security mode = 00
locking = 1
blocking locks = 1
strict locking = 0
oplocks = 1
level2 oplocks = 1
fake oplocks = 0
csc policy = manual
nt acl support = 1
inherit acls = 1
inherit owner = no
inherit permissions = yes
dos filemode = no

root at qamaster:/shares# getfacl finanzen/
# file: finanzen
# owner: crunchy
# group: Share\040Admins
user::rwx
group::rwx
group:Domain\040Users:r--
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:Domain\040Users:r--
default:mask::rwx
default:other::---

The ACLs for Domain Users were set with a Windows client after that a 
subdirectory TEST01 was created (BTW the group sticky bit is set):

root at qamaster:/shares# getfacl finanzen/TEST01/
# file: finanzen/TEST01
# owner: crunchy
# group: Share\040Admins
user::rwx
user:root:rwx
group::rwx
group:Domain\040Users:r--
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:Domain\040Users:r--
default:mask::rwx
default:other::---

When I try to remove the access rights for Domain Users on TEST01 (via 
Properties->tab Security->button Advanced...) the following happens: clicking 
the remove button results in the disappearance of the entry; as expected. 
After clicking the apply button the entry is back again in the list.

It looks like 'inherit acls' does not allow removing the inherited access 
rights on subdirectories.

When I remove the access to TEST01 for Domain Users with setfacl [-d] -x ... 
(POSIX ACLs and Default POSIX ACLs) and add any other access right to the 
directory via Windows the access rights for Domain Users are added again.

Has anyone an idea why this happens? Is there a mistake in my configuration? 

If you need any further information just ask.

thanks in advance
Andreas

-- 
Andreas Büsching   <buesching at univention.de>     fon: +49 421 22 232- 0
Entwicklung        Linux for Your Business
Univention GmbH    http://www.univention.de/     fax: +49 421 22 232-99
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba/attachments/20080612/b4d5b772/attachment.bin