There is directory as follows: % getfacl dir/ # file: dir # owner: test # group: Domain\040Users user::rwx group::r-x other::r-x % smbcacls //SERVER/test dir -U test%PASS REVISION:1 OWNER:DOMAIN\test GROUP:DOMAIN\Domain Users ACL:DOMAIN\test:ALLOWED/0/FULL ACL:DOMAIN\Domain Users:ALLOWED/0/READ ACL:\Everyone:ALLOWED/0/READ Next, change owner's "Apply to" to "This folder, subfolders and files". We can perform as follows: % smbcacls //SERVER/test dir -U test%PASS -a 'ACL:DOMAIN\test:ALLOWED/3/FULL' Now, we can see ACL as follows. % getfacl dir/ # file: dir # owner: test # group: Domain\040Users user::rwx group::r-x other::r-x default:user::rwx default:group::--- default:other::--- % smbcacls //SERVER/test dir -U test%PASSWORD REVISION:1 OWNER:DOMAIN\test GROUP:DOMAIN\Domain Users ACL:DOMAIN\test:ALLOWED/0/FULL ACL:DOMAIN\Domain Users:ALLOWED/0/READ ACL:\Everyone:ALLOWED/0/READ ACL:\Creator Owner:ALLOWED/11/FULL ACL:\Creator Group:ALLOWED/11/ ACL:\Everyone:ALLOWED/11/ The ACL include "Creator Owner" and "Creator Group", but owner's ACE inherit flag is unchanged. owner's ACE inherit flag should be 3. and It should contain named default ACE as follows: % getfacl dir/ # file: dir # owner: test # group: Domain\040Users user::rwx group::r-x other::r-x default:user::rwx default:user:test:rwx default:group::--- default:mask::rwx default:other::---
Created attachment 4932 [details] Patch for 3.4.3
This looks correct to me. I'm going to do some more testing and if everything passes commit tomorrow. Thanks ! Jeremy.
Created attachment 4951 [details] Patch for master and 3.5.0 This is the patch I'm going to apply for master and 3.5.0. It's based on your patch, but expands on it quite a bit. Your bug report was really good and pointed out the underlying problem in the POSIX ACL mapping. I'm not going to put this in 3.4.x as it's too invasive a change for the stable series - but I'm hoping you can test this for the 3.5.x release. Thanks ! Jeremy.
We had http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567095 for this. Jeremy, from the bug log and 3.5.0, it seems that the fix you proposed wasn't pushed to 3.5.0. Can you confirm? Christian Perrier
Christian this is incorrect. The fix is in the v3-5-stable git tree when I check it out. Can you check what you're building from ? Jeremy.
To Jeremy: fine. I actually didn't check the code but was referring to the bug history and WHATSNEW.txt files from 3.5.0 versions where I didn't find any reference to bug #6878. Having the mark still marked as assigned and not fixed was also confusing. I assume that it should indeed be closed. One of our users reported this bug against 3.2.5 and I was actually wondering whether we can backport it (the issue seems to be annoying enough). That doesn't seem completely straightforward, though. Christian
in 3.5 this was fixed by cdcd4da33e2d2 in Nov. 2009. As of comment 3 a backport would be too invasive. Closing as fixed as it should be fixed in 3.5.