If I'm reading the code of cacl_set correctly then SMBC_XATTR_FLAG_CREATE's logic is inverted. > for (j=0;old->dacl && j<old->dacl->num_aces;j++) { > if (dom_sid_equal(&sd->dacl->aces[i].trustee, > &old->dacl->aces[j].trustee)) { > if (!(flags & SMBC_XATTR_FLAG_CREATE)) { > err = EEXIST; if the new SID and the old SID are equal AND if the CREATE flag is NOT set THEN error. This surely should error iff the flag is set? I am also not sure that check is entirely correct. There can be multiple ACEs pertaining to the same trustee but with different types (e.g. an AUDIT and a DENY and an ALLOW entry all affecting the same trustee within the same ACL). i.e. this check probably also needs to take the type into account.