After upgrading to 3.0.25c and all subsequent versions, we noticed that when ACLs are edited using a Windows client (XP, 2000), child directories immediately inherit ALL ALCs from their parents regardless of the state of the Samba inherit options. After that, the inherited ACLs cannot be removed using a Windows client unless they are first removed from the highest level parent. When inherited ALCs are removed using Windows, they immediatedly reappear. All inherited ACLs can be removed using setfacl but are reapplied if any part of the ACL is edited from Windows. So in the example below, if we set an ACL on the directory UserFolders and then attempt to set (using Windows) an ACL on the folder User1, User1 will get the perms we set, plus any perms set in the ACL for UserFolders. Further, when we attempt to set ACLs for Private, it automatically inherits everything set for UserFolders AND User1. We have been using Samba with ACLs since shortly after Samba 3 was released. This is the first time we have seen this behavior. Samba 3.0.25b works "properly". --UserFolders| |-User1-| |Private |-User2-| |Private Our smb.conf [global] workgroup = D45 server string = JA Server interfaces = eth0 bind interfaces only = Yes security = DOMAIN passdb backend = tdbsam log file = /var/log/samba/log.%m max log size = 50 wins server = 10.45.0.1 ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind use default domain = Yes [Userfolders] comment = User Data path = /opt/UserFolders read only = No
acls are working as designed in recent samba releases, this is most likely not a bug (any more)