The problem is, that in current state the smbd first creates a file and allows system to apply default posix ACLs (and applies "create mask"): smbd/open.c: if ((flags2 & O_CREAT) && lp_inherit_acls(SNUM(conn)) && (def_acl = directory_has_default_acl(conn, parent_dir))) { unx_mode = (0777 & lp_create_mask(SNUM(conn))); So far it is good. The operating system applies default ACLs and "create mask" is taken into account. But later, smbd rewrites the ACLs: smbd/open.c: else if (lp_inherit_acls(SNUM(conn))) { /* Inherit from parent. Errors here are not fatal. */ status = inherit_new_acl(fsp); if (!NT_STATUS_IS_OK(status)) { DEBUG(10,("inherit_new_acl: failed for %s with % fsp_str_dbg(fsp), nt_errstr(status) )); } As it rewrites the ACLs, the "create mask" (eg. = 666) is not applied and ordinary files get execute permission. So, basically, it first allows to apply default ACLs by system, next it does its own inheritance. I want only the first portion. Commenting out the second portion makes it work correctly. To get the desired effect the parameter "store dos attributes = yes" also has to be set. I have no idea why the second portion (inherit_new_acl(fsp)) is added but it makes me trouble. If it cannot be removed for some other reasons, I can produce a patch with a new option, eg. "inherit acls posix only", or whatever other name you do prefer, so it can be disabled separately.
ACLs and create mask generally don't play well together. Maybe we should just drop creat mask support for any kind of ACL configuration where we have inherited ACLs. Just for POSIX ACLs withough ACL inheritence we might leave it in.