samba - Jul 2022 - POSIX ACLs are not inherited after upgrade - behaviour changed?

On Mon, 2022-07-04 at 16:52 +0200, Henry Jensen via samba
wrote:
> I have several Samba servers running as (Samba) AD Domain members on
> Devuan Ascii (= Debian 9) with Samba 4.5.x, using Posix ACLs
The question has to be, why are you still running such an old distro ?
No, I am not Devuan bashing, I am running Beowulf at the moment.

I suggest you upgrade and then use Samba from here:

https://apt.van-belle.nl/

While you have posted portions of your smb.conf, they are not much use
without the '[global]' portion.

Rowland

Am Mon, 04 Jul 2022 16:17:55 +0100
schrieb Rowland Penny via samba <samba at lists.samba.org>:
> On Mon, 2022-07-04 at 16:52 +0200, Henry Jensen via samba wrote:
> > I have several Samba servers running as (Samba) AD Domain members on
> > Devuan Ascii (= Debian 9) with Samba 4.5.x, using Posix ACLs  
> 
> The question has to be, why are you still running such an old distro ?
> No, I am not Devuan bashing, I am running Beowulf at the moment.

Because Devuan Ascii was still supported until last week. Maybe I should have
upgraded a long time ago, but that wouldn't have eliminate the problem, it
would have just appeared earlier.
> While you have posted portions of your smb.conf, they are not much use
> without the '[global]' portion.
OK, here is the complete thing


[global]
   workgroup = MYDOM
   security = ADS
   realm = MYDOM.LAN
   # Default idmap config for local BUILTIN accounts and groups
   idmap config *:backend = tdb 
   idmap config *:range = 80001-90000

   # idmap config for the MYDOM domain
   idmap config MYDOM:backend = ad
   idmap config MYDOM:schema_mode = rfc2307
   idmap config MYDOM:range = 500-80000

   # >Samba 4.6.0
   idmap config MYDOM:unix_nss_info = yes 

   # < Samba 4.6.0
   # winbind nss info = rfc2307 

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   winbind use default domain = yes 

   winbind enum users = yes
   winbind enum groups = yes
   username map = /etc/samba/user.map

   log level = 3 passdb:3 auth:3

   Dos charset = 850
   unix charset = UTF-8

   vfs objects = recycle
   recycle: repository = .Papierkorb/%U
   recycle:directory_mode = 0777
   recycle:subdir_mode = 0770
   recycle: keeptree = Yes
   recycle: exclude = *.tmp, *.temp, *.log, *.ldb
   recycle: exclude_dir = tmp
   recycle:versions = Yes

[myshare]
path = /data/myshare
public = no
writeable = yes
hide unreadable = yes
create mask = 1660
directory mask = 1770
inherit owner = yes
inherit permissions = yes
inherit acls = yes
acl group control = yes


Now back to the question: ACL's were inherited in Samba <= 4.5.x  without
default ACLs, in Samba 4.9.x they aren't. Was this change in behaviour
intended (and which item in the release notes did I miss)?


Regards,
Henry