[Samba] nt acl inheritance

Felix Joussein felix.joussein at gmx.at
Mon May 16 05:42:44 MDT 2011

Hello List,

I've observed the following missbehaivoure, while playing around with nc 
acl's. (see relevant configuration below):

Working with Windows XP:

Open acl enabled share
Set default share permissions by right click on the explorer's top left 
clip control -> properties.
Under security I remove the CREATOR-OWNER and CREATORUSER Group, as I 
already know, that these two default groups cause trouble while saving 
acl's and result in a Windows Error Message "Invalid Parameter". Also I 
set some default security settings for users and groups accordingly to 
my needs and I apply it to This Folder, and any sub folder or file.

After applying to all new settings, I create a folder.
As expected my default share security settings have been inherited to 
the new folder.
I add an additional user to the acl and take care, that the inheritance 
is also "Folder, sub folder and file".

I create a new sub folder to this one and check the acl.
Here is the unwanted behavior: The new sub folder got user permissions 
from it's parent folder, but unlike the default share permissions which 
have been inherited, the additional user's permissions have not been 
inherited but have been copied. When I set the option "Inherit 
permissions to sub elements as far as applicable", and apply, then a new 
acl entry is created with the same user but this time inherited. Now I 
can delete the copied settings, and apply to everything.

I hope, these explanations where clear enough.

Here now the configuration:

Version: 3.5.8~dfsg-1ubuntu2.1
         comment = ACL Labor
         path = /home/acllabor
         vfs objects = acl_xattr
         read only = no
         browsable = yes
         valid users = me,you
         acl map full control = false
         inherit acls = yes
         map acl inherit = yes
         map read only = Permissions
         map archive = no
         map hidden = no
         map system = no
         nt acl support = yes
         acl group control = true
         dos filemode = yes
         enable privileges = yes
         store dos attributes = yes

mount options:
/dev/mapper/system-user on /home type ext4 

any help appreciated!


More information about the samba mailing list