Created attachment 17281 [details] minimal smb.conf Hi, when we have activated the user.map cache, we observe that ACLs are repeatedly inherited incorrectly when folders and files are created. In addition, it can happen that users can no longer access directories even though they have permission to do so. This behavior does not always occur, but appears to be random. However, we were able to narrow down the error to such an extent that if we set "username map cache time = 0" in the "smb.conf" file, all the problems mentioned disappear and the samba server behaves normally. In order to describe the problem as understandably as possible, we created a minimal configuration and documented all the steps we needed to reproduce the bug on a test system. We performed the following steps once as a domain member and once as a standalone server and were able to reproduce the bug both times. As a test user, we created a local user "smbtest01" with the primary Unix group "smbtest". For the test, we created the following directory structure with the associated ACLs. drwxrws---+ 8 smbtest01 smbtest 4096 May 5 11:00 /mnt/data10/samba_test/test1 drwxrws---+ 8 root root 4096 May 5 11:00 /mnt/data10/samba_test/test2 drwxrws---+ 8 root users 4096 May 5 11:00 /mnt/data10/samba_test/test3 # file: mnt/data10/samba_test/test1 # owner: smbtest01 # group: smbtest # flags: -s- user::rwx user:smbtest01:rwx group::rwx group:smbtest:rwx mask::rwx other::--- default:user::rwx default:user:smbtest01:rwx default:group::rwx default:group:smbtest:rwx default:mask::rwx default:other::--- # file: mnt/data10/samba_test/test2 # owner: root # group: root # flags: -s- user::rwx user:smbtest01:rwx group::rwx group:smbtest:rwx mask::rwx other::--- default:user::rwx default:user:smbtest01:rwx default:group::rwx default:group:smbtest:rwx default:mask::rwx default:other::--- # file: mnt/data10/samba_test/test3 # owner: root # group: users # flags: -s- user::rwx user:smbtest01:rwx group::rwx group:smbtest:rwx mask::rwx other::--- default:user::rwx default:user:smbtest01:rwx default:group::rwx default:group:smbtest:rwx default:mask::rwx default:other::--- In order to reproduce the bug, we have now created directories and text files in the three folders with the user "smbtest01" from a Windows 10 client. The result looked like this: /mnt/data10/samba_test/test1: total 0 drwxrws---+ 2 smbtest01 smbtest 6 May 5 10:59 test1111 /mnt/data10/samba_test/test2: total 0 drwxrws---+ 2 smbtest01 root 6 May 5 10:58 test2222 drwxrwx---+ 2 smbtest01 smbtest 6 May 5 11:00 testt2222 /mnt/data10/samba_test/test3: total 0 drwxrwx---+ 2 smbtest01 smbtest 6 May 5 10:43 testr333 drwxrws---+ 2 smbtest01 users 6 May 5 10:58 testr3333 For the "test1" folder, all our attempts were correct, but the group is also the user's primary group. For the other two folders ("test2", "test3") we were able to reproduce incorrect inheritances as well as correct ones. The correct inheritance can be recognized by the set sticky bit. As already mentioned, this behavior disappeared as soon as we disabled user.map caching in the "smb.conf" file. To explain our "user.map" file. We map the machine account to a local system user to allow clients to access files without a user being logged in, or to allow scripts to be run in the system context. user.map: -------------- computeraccount = CONTOSO\pc0001$ computeraccount = CONTOSO\pc0002$ computeraccount = CONTOSO\pc0003$ [...] Out test setup: --------------- * RedHat Enterprise Linux 8 * installed packages * samba-4.14.5-10.el8_5.x86_64 * samba-winbind-4.14.5-10.el8_5.x86_64 [1] [1] Winbind was disabled during our tests. All caches or tdb-files were purged before. If we should carry out further tests, we are happy to do so, as we have an extra test system for this. Best Regards Tobias