Bug 5174 - ACLs unconditionaly inherited after version 3.0.25b
ACLs unconditionaly inherited after version 3.0.25b
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: File Services
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2008-01-04 15:06 UTC by Ted Staberow
Modified: 2008-01-04 15:06 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ted Staberow 2008-01-04 15:06:00 UTC
After upgrading to 3.0.25c and all subsequent versions, we noticed that when ACLs are edited using a Windows client (XP, 2000), child directories immediately inherit ALL ALCs from their parents regardless of the state of the Samba inherit options.  After that, the inherited ACLs cannot be removed using a Windows client unless they are first removed from the highest level parent.  When inherited ALCs are removed using Windows, they immediatedly reappear.  All inherited ACLs can be removed using setfacl but are reapplied if any part of the ACL is edited from Windows.   

So in the example below, if we set an ACL on the directory UserFolders and then attempt to set (using Windows) an ACL on the folder User1, User1 will get the perms we set, plus any perms set in the ACL for UserFolders.  Further, when we attempt to set ACLs for Private, it automatically inherits everything set for UserFolders AND User1.  We have been using Samba with ACLs since shortly after Samba 3 was released.  This is the first time we have seen this behavior.  Samba 3.0.25b works "properly".



Our smb.conf

        workgroup = D45
        server string = JA Server
        interfaces = eth0
        bind interfaces only = Yes
        security = DOMAIN
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        wins server =
        ldap ssl = no
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        winbind use default domain = Yes

        comment = User Data
        path = /opt/UserFolders
        read only = No