This problem shows up on both Linux and Solaris. We have a setup where we want a group of users to be able to work in a common share. To do that I set up a group and made the users members of that group. I made the parent directory have that group as it's group and added an ACL to make sure that everyone in the group could create files there and modify any files there. I set the set group id bit so that any new files would get this group as it's group. I set the share to have inherit acls = yes so that the acl would be inherited and used. But with inherit acls = yes, the set group id bit is not honored. For instance, for a directory with an ACL of: # file: ../acltest # owner: hwdesign # group: hwdesign user::rwx group::rwx mask::rwx other::r-x default:user::rwx default:group::rwx default:mask::rwx default:other::r-x And permissions set as: drwxrwsr-x+ 6 hwdesign hwdesign 4096 2014-06-02 10:36 ../acltest/ A new folder (directory) is created with the following ACL # file: test # owner: schulz # group: users user::rwx user:schulz:rwx group::rwx group:users:rwx mask::rwx other::r-x default:user::rwx default:user:schulz:rwx default:group::rwx default:group:users:rwx default:mask::rwx default:other::r-x And the following permissions: drwxrwsr-x+ 2 schulz users 4096 2014-06-02 10:35 test Note that the expected and desired group should be hwdesign. Also, if the directory is accessed as a NFS mount by the Samba server then the set group id bit is lost (not shown above).
We have the same problem here on Samba 4.1.11.
Ping.
Problem also on Samba 4.2.3.
The problem still exists on Samba 4.4.0rc3.
I think this is unsupported deliberately, am I right, Jeremy? You can achieve SGID bit similar behaviour via the "force group" parameter also.
Yes, SGID|SUID are stripped off by design once we see a default directory ACL.
Code in master is here: 3825 /* 3826 * Ensure we pay attention to default ACLs on directories if required. 3827 */ 3828 3829 if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) && 3830 (def_acl = directory_has_default_acl(conn, 3831 conn->cwd_fsp, 3832 parent_dir_fname))) 3833 { 3834 unx_mode = (0777 & lp_create_mask(SNUM(conn))); 3835 } Note the "0777".