Default permissions in extended ACL



We have an univention server with a few shares. All connecting clients are OSX.
Whenever a user with access to a certain share creates a file or folder, the group permission is r-x which leads to everyone else not being able to modify the files/folders.
I have to manually set them with setfacl -R -m g:group ./
How can I make sure that for each new file the permissions are either inherited from the top directory or simply rwx for owner + group? I need to enforce read/write/execute for owner and group in the extended ACL by default for all newly user-created files.

I’ve attached a screenshot to demonstrate this problem. I corrected the ACL for all files via setfacl -R, then I copied a file 148…png and, again, it defaults to r-x for the group Domain Users, until I correct it again.


Hello baselgov,

An SMB share provided by UCS has a lot of controls, you can go different paths.

[li] tick the ‘Samba permissions’ -> ‘Create files/directories with permissions of the parent directory’ option, and then set the ‘rwx’ permissions of the share’s root at the filesystem level, or[/li]
[li] open the ‘Samba extended permissions’ and tick all the bits of the ‘Force file mode’ and ‘Force directory mode’ you want to be set for every newly-created object.[/li][/ul]

Note that you don’t have such fine-grained control if you’re connecting via NFS (but who would use it in the presence of SMB?)

Frank Greif.