Bug 5174 - ACLs unconditionaly inherited after version 3.0.25b
Summary: ACLs unconditionaly inherited after version 3.0.25b
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.28
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2008-01-04 15:06 UTC by Ted Staberow (mail address dead)
Modified: 2020-12-15 17:42 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Ted Staberow (mail address dead) 2008-01-04 15:06:00 UTC
After upgrading to 3.0.25c and all subsequent versions, we noticed that when ACLs are edited using a Windows client (XP, 2000), child directories immediately inherit ALL ALCs from their parents regardless of the state of the Samba inherit options.  After that, the inherited ACLs cannot be removed using a Windows client unless they are first removed from the highest level parent.  When inherited ALCs are removed using Windows, they immediatedly reappear.  All inherited ACLs can be removed using setfacl but are reapplied if any part of the ACL is edited from Windows.   

So in the example below, if we set an ACL on the directory UserFolders and then attempt to set (using Windows) an ACL on the folder User1, User1 will get the perms we set, plus any perms set in the ACL for UserFolders.  Further, when we attempt to set ACLs for Private, it automatically inherits everything set for UserFolders AND User1.  We have been using Samba with ACLs since shortly after Samba 3 was released.  This is the first time we have seen this behavior.  Samba 3.0.25b works "properly".



Our smb.conf

        workgroup = D45
        server string = JA Server
        interfaces = eth0
        bind interfaces only = Yes
        security = DOMAIN
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        wins server =
        ldap ssl = no
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        winbind use default domain = Yes

        comment = User Data
        path = /opt/UserFolders
        read only = No
Comment 1 Björn Jacke 2020-12-15 17:42:46 UTC
acls are working as designed in recent samba releases, this is most likely not a bug (any more)