[Samba] nt acl inheritance

[TAKAHASHI Motonobu]

From: Felix Joussein <felix.joussein at gmx.at>
Date: Mon, 16 May 2011 13:42:44 +0200

> I've observed the following missbehaivoure, while playing around with nc 
> acl's. (see relevant configuration below):
> 
> Working with Windows XP:
> 
> Open acl enabled share
> Set default share permissions by right click on the explorer's top left 
> clip control -> properties.
> Under security I remove the CREATOR-OWNER and CREATORUSER Group, as I 
> already know, that these two default groups cause trouble while saving 
> acl's and result in a Windows Error Message "Invalid Parameter". Also I 
> set some default security settings for users and groups accordingly to 
> my needs and I apply it to This Folder, and any sub folder or file.
> 
> After applying to all new settings, I create a folder.
> As expected my default share security settings have been inherited to 
> the new folder.
> I add an additional user to the acl and take care, that the inheritance 
> is also "Folder, sub folder and file".
> 
> I create a new sub folder to this one and check the acl.
> Here is the unwanted behavior: The new sub folder got user permissions 
> from it's parent folder, but unlike the default share permissions which 
> have been inherited, the additional user's permissions have not been 
> inherited but have been copied. When I set the option "Inherit 
> permissions to sub elements as far as applicable", and apply, then a new 
> acl entry is created with the same user but this time inherited. Now I 
> can delete the copied settings, and apply to everything.
> 
> I hope, these explanations where clear enough.
> 
> Here now the configuration:
> 
> Version: 3.5.8~dfsg-1ubuntu2.1
> smb.conf:
> [acl]
>          comment = ACL Labor
>          path = /home/acllabor
>          vfs objects = acl_xattr
>          read only = no
>          browsable = yes
>          valid users = me,you
>          acl map full control = false
>          inherit acls = yes
>          map acl inherit = yes
>          map read only = Permissions
>          map archive = no
>          map hidden = no
>          map system = no
>          nt acl support = yes
>          acl group control = true
>          dos filemode = yes
>          enable privileges = yes
>          store dos attributes = yes
> 
> mount options:
> /dev/mapper/system-user on /home type ext4 
> (rw,errors=remount-ro,acl,user_xattr,)

AFAIK, "map acl inherit = yes" does not work well:
  https://bugzilla.samba.org/show_bug.cgi?id=6841

Also acl_xattr will not work as you expected, because even if you
enable acl_xattr, POSIX ACL semantics is still used in actual access
control and inheriting ACLs. 

P.S.

"map read only" parameter is always ignored when "store dos attributes
= yes".

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>