[Samba] Replicating Windows Inheritance

John Kristensen John.Kristensen at dpipwe.tas.gov.au
Tue Sep 28 19:57:59 MDT 2010

Hello All,

I have been spending a bit of time playing around with trying to get permission 
inheritance to work in a similar way to what our Windows team is used to with 
their Windows servers.

The behaviour I am after is to following:

  1. Create a new folder
  2. Select the new folder and go to Properties -> Security -> Advanced
  3. Tick the "Inherit from parent the permission entries that apply to child 
  4. Click Apply/OK as necessary to close the options windows
  5. Create a new sub-folder in the previously created folder
  6. Select the new sub-folder and go to Properties -> Security -> Advanced
  7. I should see that "Inherit from parent..." is already ticked by default

'map acl inherit = yes' would seem to be the option I am after. It does seem to 
work on individual folders, but does not propagate the "Inherit from parent..." 
option by default when new sub-folders are created.

'inherit permissions = yes' and 'inherit acls = yes' work OK for settings the 
permissions correctly when a file/folder is newly created, but falls over when 
permissions need to changed at a later stage.

Am I missing something obvious? or is this behaviour not able to be reproduced 
using samba?


== Some (Hopefully) Useful Info ==
ACLs and Extended Attributes are enabled on the file-system

# smbd -V
Version 3.4.8

# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[share1]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Press enter to see a dump of your service definitions

         workgroup = TESTLAB
         realm = TEST.LAB
         server string = testsamba
         security = ADS
         password server = testlabad.test.lab, *
         syslog = 0
         log file = /var/log/samba/log.smbd
         unix extensions = No
         load printers = No
         local master = No
         domain master = No
         dns proxy = No
         panic action = /usr/share/samba/panic-action %d
         idmap uid = 1000000-10000000
         idmap gid = 1000000-10000000
         winbind separator = +
         winbind cache time = 600
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         idmap config TESTLAB:default = yes
         idmap config TESTLAB:range = 1000000-1999999
         idmap config TESTLAB:backend = rid
         admin users = "@TESTLAB+Domain Admins"
         read only = No
         inherit permissions = Yes
         inherit acls = Yes
         map acl inherit = Yes

         comment = Test Share 1
         path = /srv/share1

More information about the samba mailing list