Helt på engelska, av samma skäl som föregående.
Ur man smb.conf
inherit acls (S)
This parameter can be used to ensure that if default acls exist on
parent directories, they are always honored when creating a subdi‐
rectory. The default behavior is to use the mode specified when cre‐
ating the directory. Enabling this option sets the mode to 0777,
thus guaranteeing that default directory acls are propagated.
Default: inherit acls = no
508
acl check permissions (S)
This boolean parameter controls what smbd(8)does on receiving a pro‐
tocol request of "open for delete" from a Windows client. If a Win‐
dows client doesn’t have permissions to delete a file then they
expect this to be denied at open time. POSIX systems normally only
detect restrictions on delete by actually attempting to delete the
file or directory. As Windows clients can (and do) "back out" a
delete request by unsetting the "delete on close" bit Samba cannot
delete the file immediately on "open for delete" request as we can‐
not restore such a deleted file. With this parameter set to true
(the default) then smbd checks the file system permissions directly
on "open for delete" and denies the request without actually delet‐
ing the file if the file system permissions would seem to deny it.
This is not perfect, as it’s possible a user could have deleted a
file without Samba being able to check the permissions correctly,
but it is close enough to Windows semantics for mostly correct
behaviour. Samba will correctly check POSIX ACL semantics in this
case.
If this parameter is set to "false" Samba doesn’t check permissions
on "open for delete" and allows the open. If the user doesn’t have
permission to delete the file this will only be discovered at close
time, which is too late for the Windows user tools to display an
error message to the user. The symptom of this is files that appear
to have been deleted "magically" re-appearing on a Windows explorer
refersh. This is an extremely advanced protocol option which should
not need to be changed. This parameter was introduced in its final
form in 3.0.21, an earlier version with slightly different semantics
was introduced in 3.0.20. That older version is not documented here.
Default: acl check permissions = True
acl compatibility (S)
This parameter specifies what OS ACL semantics should be compatible
with. Possible values are winnt for Windows NT 4, win2k for Windows
2000 and above and auto. If you specify auto, the value for this
parameter will be based upon the version of the client. There should
be no reason to change this parameter from the default.
Default: acl compatibility = Auto
Example: acl compatibility = win2k
acl group control (S)
In a POSIX filesystem, only the owner of a file or directory and the
superuser can modify the permissions and ACLs on a file. If this
parameter is set, then Samba overrides this restriction, and also
allows the primary group owner of a file or directory to modify the
permissions and ACLs on that file.
On a Windows server, groups may be the owner of a file or directory
- thus allowing anyone in that group to modify the permissions on
it. This allows the delegation of security controls on a point in
the filesystem to the group owner of a directory and anything below
it also owned by that group. This means there are multiple people
with permissions to modify ACLs on a file or directory, easing man‐
agability.
This parameter allows Samba to also permit delegation of the control
over a point in the exported directory hierarchy in much the same
was as Windows. This allows all members of a UNIX group to control
the permissions on a file or directory they have group ownership on.
This parameter is best used with the inherit owner option and also
on on a share containing directories with the UNIX setgid bit bit
set on them, which causes new files and directories created within
it to inherit the group ownership from the containing directory.
This is parameter has been marked deprecated in Samba 3.0.23. The
same behavior is now implemented by the dos filemode option.
Default: acl group control = no
acl map full control (S)
This boolean parameter controls whether smbd(8)maps a POSIX ACE
entry of "rwx" (read/write/execute), the maximum allowed POSIX per‐
mission set, into a Windows ACL of "FULL CONTROL". If this parameter
is set to true any POSIX ACE entry of "rwx" will be returned in a
Windows ACL as "FULL CONTROL", is this parameter is set to false any
POSIX ACE entry of "rwx" will be returned as the specific Windows
ACL bits representing read, write and execute.
Default: acl map full control = True
add group script (G)
This is the full pathname to a script that will be run AS ROOT by
smbd(8) when a new group is requested. It will expand any %g to the
group name passed. This script is only useful for installations
using the Windows NT domain administration tools. The script is free
to create a group with an arbitrary name to circumvent unix group
name restrictions. In that case the script must print the numeric
gid of the created group on stdout.
No default