samba - Dec 2006 - "inherit acls" only works with "inherit permissions"

We are running a fileserver (Samba version 3.0.10-1.4E.9) on CentOS 4.4.

No AD, clients are Windows XP and OS X.

Linux acl's are used for access to directories and files.  Each top-level
folder belongs to a primary group with mode 2770.  The acl's restrict access
to lower level directories.  We need to pass the acl's down the directory
tree or else users may have unexpected access to lower-level subdirectories
if they have access to the top-level directory.

Two problems - "inherit acls = yes" ONLY works if "inherit
permissions yes" AND all FILES and directories then inherit the execute
bit.  We do want
the execute bit set to make directories readable, we do not want to default
on the execute bit on all files.
When "inherit permissions" is not set, then "inherit acls =
yes" appears to
have no effect.

Relevant section of smb.conf --

[DIG]
       path = /home/DFT
       writeable = yes
       browseable = no
       create mask = 660
       directory mask = 2770
       inherit acls = yes
       inherit permissions = yes
       valid users = xxx, xxx1

I have tried various other options such as "map acl inherit = yes",
"dos
filemode = yes" to no avail.  Setting a default acl for the primary group
has no effect.

Thanks in advance.
Mark Kerman

Posting the results of your suggestion -

With "inherit acls = yes" --
test.doc (file) and TEST (directory) were created with "inherit permissions
= no"
test2.doc (file) and TEST2 (directory) were created with "inherit
permissions = yes"
comp was a pre-existing directory with acl's set.
I restarted Samba after the change to smb.conf was made.
As you can see, there are no acl's assigned when "inherit permissions =
no"

from the linux console --


[root@flwd2 Stuff]# ls -rlat
total 72
drwxrws---+  2 hanna     dig  4096 Dec 20 09:15 comp
drwxr-s---  16 smbadmin dig  4096 Dec 20 16:09 ..
-rw-rw----    1 mark      dig 10752 Dec 22 11:14 test.doc
drwxrws---   2 mark      dig  4096 Dec 22 11:14 TEST
drwxrws---+  2 mark      dig  4096 Dec 22 11:30 TEST2
-rwxrwx---+  1 mark      dig 10752 Dec 22 11:30 test2.doc
drwxrws---+  5 smbadmin dig   4096 Dec 22 11:30 .


# getfacl *
# file: comp
# owner: hanna
# group: dig
user::rwx
user:mark:rwx
user:jack:r-x
user:linda:r-x
user:hanna:rwx
group::rwx
mask::rwx
other::---

# file: TEST
# owner: mark
# group: dig
user::rwx
group::rwx
other::---

# file: TEST2
# owner: mark
# group: dig
user::rwx
user:mark:rwx
user:jack:r-x
user:linda:r-x
user:hanna:rwx
group::rwx
mask::rwx
other::---

# file: test2.doc
# owner: mark
# group: dig
user::rwx
user:mark:rwx
user:jack:r-x
user:linda:r-x
user:hanna:rwx
group::rw-
mask::rwx
other::---

# file: test.doc
# owner: mark
# group: dig
user::rw-
group::rw-
other::---

On 12/22/06, James A. Dinkel <jdinkel@bucoks.com > wrote:
> You might try this:  Set 'inherit permissions' to no, create a new
file,
> then from the console use getfacl to see what acls the file has.  See
> what permissions and ACLs it is actually getting.  I just have them both
> set to 'yes' here.
>
> James Dinkel
> Network Engineer
> Butler County of Kansas
>