
I sent an email on the mailing list of bestsbits (http://acl.bestbits.at/pipermail/acl-devel/2006-July/001980.html) because if nobody answer on this mailing list , it's probably directly linked to ACLs? But, I really don't know if the problem is only with bestsbits or only with samba because I can reproduce the bug only in samba, not in console. So this bug seems to be linked to samba ?

Am I the only one who would like to use ACLs ? Are there any other solution to have a fine grained access rules which works with samba? (like trustees)
because if default ACLs don't works, I think using ACLs is a no sense.

For the while - hopping sometime this bug will be fix - I use a dirty script run by cron which check & fix ACLs.
I know it's dirty... but I have I any other choice ?

I give up with this mistery. I'm too tired.


I use samba 3.0.22 as PDC on Debian with workstations under windows XP SP1 and SP2.
I use ACLs to have a fine grained access rules.

When I copy a directory from a client to a samba share, default ACLs are forgiven.
exemple : after I copy the directory A on the samba share :
getfacl A/
# file: A/
# owner: user1
# group: sambausers

But the parent directory has default ACLs, I can prove it :
getfacl .
# file: .
# owner: user1
# group: sambausers

Is it a bug ? because default ACLs are applied if I copy files. So Why different behavior between directory and files ? I noticed that it happened only to local directories which belong to MYDOMAIN\user. If the owner of the local directory is LOCALCOMPUTER\user the default ACLs is applied correctly. But once again, it concerns only directory. When the file belong to MYDOMAIN\user ACLs are applied correctly.

All what I want is that default ACLs are applied all the time whatever the owner of local directory.

I try to play with "directory security mask", "force directory security mode", inherit permissions without success.
Thank you for your help, I really don't know what to do.

My smb.conf looks like that :

# -----------------------------------------------------------------------------
# Global parameters
# -----------------------------------------------------------------------------
       dos charset = 850
       unix charset = ISO8859-1
       workgroup = elb-lyon
       netbios name = server02
       server string = server02.elb-lyon
       os level = 65
       domain logons = Yes
       domain master = Yes
       local master = Yes
       preferred master = Yes
       wins support = Yes

       obey pam restrictions = Yes
       passdb backend = tdbsam, guest
       passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
       passwd chat debug = Yes
       pam password change = Yes
       unix password sync = Yes

       syslog = 0
       log level = 2
       # log level max = 10
       log file = /var/log/samba/log.%m
       max log size = 25600
       dns proxy = No
       panic action = /usr/share/samba/panic-action %d
       invalid users = root2

       # paramètres samba utilisateur par defaut
       logon drive = P:
       logon home = \\server02\%U
       logon path = \\server02\profiles\%U
       logon script = %U.cmd

       # gestion des comptes posix automatique :)
       # Gestion des comptes POSIX
add machine script = /usr/sbin/useradd -g sambamachines -c Machine -d /dev/null -s /bin/false '%u' add user script = /usr/sbin/useradd -g sambausers -c Utilisateur -d /dev/null -s /bin/false '%u'
       add group script = /usr/sbin/groupadd '%g'
       add user to group script = /usr/bin/gpasswd -a '%u' '%g'
       delete user script = /usr/sbin/userdel -r '%u'
       delete group script = /usr/sbin/groupdel '%g'
       delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
       set primary group script = /usr/sbin/usermod -g '%g' '%u'

       veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/

       guest account = guest

       hosts allow = 192.168.0. 127.

# -----------------------------------------------------------------------------
# Necessaire Domaine
# -----------------------------------------------------------------------------
       path = /mnt/SAN01/vd3_home2/home2/%u
       comment = Home Directories
       valid users = %S
       guest ok = No
       writable = Yes
       create mask = 0700
       directory mask = 0700
       browseable = No

       path = /mnt/SAN01/vd3_home2/netlogon
       comment = Partage NetLogon
       valid users = @sambausers @sambaguests root
       guest ok = No
       read only = Yes
       browseable = No

       path = /mnt/SAN01/vd3_home2/profiles
       comment = Profils utilisateurs
       valid users = @sambausers @sambaguests root
       guest ok = No
       writable = Yes
       create mode = 0700
       browseable = No

# -----------------------------------------------------------------------------
# Partages
# -----------------------------------------------------------------------------
       comment = Zone d'echange.
       path = /mnt/SAN01/vd1_echange
       valid users = root @sambaadmins @sambaguests @User_Standard
       guest ok = No
       writable = Yes
       create mask = 0770
       directory mask = 0770
       browseable = yes
       # inherit permissions = yes
       inherit acls = yes
       hide unreadable = Yes
       # directory security mask = 0000
       # force directory security mode = 0777

