samba - Sep 2010 - Replicating Windows Inheritance

Hello All,

I have been spending a bit of time playing around with trying to get permission 
inheritance to work in a similar way to what our Windows team is used to with 
their Windows servers.

The behaviour I am after is to following:

  1. Create a new folder
  2. Select the new folder and go to Properties -> Security -> Advanced
  3. Tick the "Inherit from parent the permission entries that apply to
child
objects..."
  4. Click Apply/OK as necessary to close the options windows
  5. Create a new sub-folder in the previously created folder
  6. Select the new sub-folder and go to Properties -> Security ->
Advanced
  7. I should see that "Inherit from parent..." is already ticked by
default

'map acl inherit = yes' would seem to be the option I am after. It does
seem to
work on individual folders, but does not propagate the "Inherit from
parent..."
option by default when new sub-folders are created.

'inherit permissions = yes' and 'inherit acls = yes' work OK for
settings the
permissions correctly when a file/folder is newly created, but falls over when 
permissions need to changed at a later stage.

Am I missing something obvious? or is this behaviour not able to be reproduced 
using samba?

Cheers,
John.


== Some (Hopefully) Useful Info =ACLs and Extended Attributes are enabled on the
file-system


# smbd -V
Version 3.4.8


# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[share1]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
         workgroup = TESTLAB
         realm = TEST.LAB
         server string = testsamba
         security = ADS
         password server = testlabad.test.lab, *
         syslog = 0
         log file = /var/log/samba/log.smbd
         unix extensions = No
         load printers = No
         local master = No
         domain master = No
         dns proxy = No
         panic action = /usr/share/samba/panic-action %d
         idmap uid = 1000000-10000000
         idmap gid = 1000000-10000000
         winbind separator = +
         winbind cache time = 600
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         idmap config TESTLAB:default = yes
         idmap config TESTLAB:range = 1000000-1999999
         idmap config TESTLAB:backend = rid
         admin users = "@TESTLAB+Domain Admins"
         read only = No
         inherit permissions = Yes
         inherit acls = Yes
         map acl inherit = Yes

[share1]
         comment = Test Share 1
         path = /srv/share1