I have migrated a 3.0.14a PDC + LDAP (last debian Sarge package) to last stable version 3.0.25c (sernet package) in order to improve the ACL support, because there are many imprevedible behaviour in that release (above all with MS Office) and I need "inherit owner" config directive. 1- I have a directory like this: # file: prova # owner: root # group: Domain\040Users user::rwx user:<USER1>:rwx group::--- group:Ced:rwx mask::rwx other::--- default:user::rwx default:user:<USER1>:rwx default:group::--- default:group:Ced:rwx default:mask::rwx default:other::--- And many subdirs with the same inherited permissions (for example aaaa, bbbb...) This permission were applied with windows security tab (but with setfacl I have the same result) 2- When I try to remove the Inherit Flag from windows Explorer security tab (winxp and win2k also) to remove any ACL, I have a strange behaviour: - When I re-check the properties of directory the flag is still checked - In the dir-tree from that directory I found 2 new ACLs: one for User that I have used for that operation (a Domain Admins members) and one for group Administrators that I never seen before. I try to remove USER1 from aa subdir: # file: aa # owner: root # group: Domain\040Users user::rwx user:<USER1>:rwx user:<ADMIN1>:rwx group::--- group:Ced:rwx group:Administrators:rwx mask::rwx other::--- default:user::rwx default:user:<USER1>:rwx default:user:<ADMIN1>:rwx default:group::--- default:group:Ced:rwx default:group:Administrators:rwx default:mask::rwx default:other::--- To resolve this problem I have to downgrade to version 3.0.24. In this version I can remove check, but persist the new ACL for user that have change the flag, but not for group Administrators. This incorect inherited new ACL contamine only subdir that have Inherit flag checked. Now I can change ACL only with Administrator User (that have uid 0), this user don't add new acl, and can corectly manage inherited permission. Relevant configuretion directive: inherit acls = yes map acl inherit = yes inherit owner = yes force unknown acl user = Yes dos filemode = yes inherit permissions = yes Italian thread: http://lists.xsec.it/pipermail/samba-it/2007-September/007168.html
Created attachment 2919 [details] Level 2 and level 3 of problem This is an extract of the log while I try to remove the flag indicted from the folder “bbbb”, subfolder of “prova”, from which it inherits one acl.
in more modern samba version this should not be a problem, there is no known issue with this any more.