The problem is, that in current state the smbd first creates a file and allows system to apply default posix ACLs (and applies "create mask"): smbd/open.c: if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) && (def_acl = directory_has_default_acl(conn, parent_dir))) { unx_mode = (0777 & lp_create_mask(SNUM(conn))); So far it is good. The operating system applies default ACLs and "create mask" is taken into account. But later, smbd rewrites the ACLs: smbd/open.c: else if (lp_inherit_acls(SNUM(conn))) { /* Inherit from parent. Errors here are not fatal. */ status = inherit_new_acl(fsp); if (!NT_STATUS_IS_OK(status)) { DEBUG(10,("inherit_new_acl: failed for %s with % fsp_str_dbg(fsp), nt_errstr(status) )); } As it rewrites the ACLs, the "create mask" (eg. = 666) is not applied and ordinary files get execute permission. So, basically, it first allows to apply default ACLs by system, next it does its own inheritance. I want only the first portion. Commenting out the second portion makes it work correctly. To get the desired effect the parameter "store dos attributes = yes" also has to be set. I have no idea why the second portion (inherit_new_acl(fsp)) is added but it makes me trouble. If it cannot be removed for some other reasons, I can produce a patch with a new option, eg. "inherit acls posix only", or whatever other name you do prefer, so it can be disabled separately.