diff --git a/kmod/src/acl.c b/kmod/src/acl.c
index bfe81bc5..86d398ab 100644
--- a/kmod/src/acl.c
+++ b/kmod/src/acl.c
@@ -98,11 +98,9 @@ struct posix_acl *scoutfs_get_acl_locked(struct inode *inode, int type, struct s
 		acl = ERR_PTR(ret);
 	}
 
-#ifndef KC___POSIX_ACL_CREATE
 	/* can set null negative cache */
 	if (!IS_ERR(acl))
 		set_cached_acl(inode, type, acl);
-#endif
 
 	kfree(value);
 
@@ -194,10 +192,8 @@ int scoutfs_set_acl_locked(struct inode *inode, struct posix_acl *acl, int type,
 	}
 
 out:
-#ifndef KC___POSIX_ACL_CREATE
 	if (!ret)
 		set_cached_acl(inode, type, acl);
-#endif
 
 	kfree(value);
 
diff --git a/tests/golden/basic-posix-acl b/tests/golden/basic-posix-acl
new file mode 100644
index 00000000..b0415759
--- /dev/null
+++ b/tests/golden/basic-posix-acl
@@ -0,0 +1,157 @@
+== setup test directory
+== getfacl
+directory drwxr-xr-x 0 0 0 '.'
+# file: .
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+== basic non-acl access through permissions
+directory drwxr-xr-x 0 44444 0 'dir-testuid'
+touch: cannot touch 'dir-testuid/file-group-write': Permission denied
+touch: cannot touch 'symlinkdir-testuid/symlink-file-group-write': Permission denied
+regular empty file -rw-r--r-- 22222 44444 0 'dir-testuid/file-group-write'
+regular empty file -rw-r--r-- 22222 44444 0 'symlinkdir-testuid/symlink-file-group-write'
+== basic acl access
+directory drwxr-xr-x 0 0 0 'dir-root'
+touch: cannot touch 'dir-root/file-group-write': Permission denied
+touch: cannot touch 'symlinkdir-root/file-group-write': Permission denied
+# file: dir-root
+# owner: root
+# group: root
+user::rwx
+user:22222:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+regular empty file -rw-r--r-- 22222 0 0 'dir-root/file-group-write'
+regular empty file -rw-r--r-- 22222 0 0 'symlinkdir-root/file-group-write'
+== directory exec
+Success
+Success
+# file: dir-root
+# owner: root
+# group: root
+user::rwx
+user:22222:rw-
+group::r-x
+mask::rwx
+other::r-x
+
+bash: line 0: cd: dir-root: Permission denied
+Failed
+bash: line 0: cd: symlinkdir-root: Permission denied
+Failed
+# file: dir-root
+# owner: root
+# group: root
+user::rwx
+user:22222:rw-
+group::r-x
+group:44444:rwx
+mask::rwx
+other::r-x
+
+Success
+Success
+== get/set attr
+regular empty file -rw-r--r-- 0 0 0 'file-root'
+setfattr: file-root: Permission denied
+# file: file-root
+# owner: root
+# group: root
+user::rw-
+user:22222:rw-
+group::r--
+mask::rw-
+other::r--
+
+# file: file-root
+user.test2="Success"
+
+# file: file-root
+# owner: root
+# group: root
+user::rw-
+group::r--
+mask::r--
+other::r--
+
+setfattr: file-root: Permission denied
+# file: file-root
+user.test2="Success"
+
+# file: file-root
+# owner: root
+# group: root
+user::rw-
+group::r--
+group:44444:rw-
+mask::rw-
+other::r--
+
+# file: file-root
+user.test2="Success"
+user.test4="Success"
+
+== inheritance / default acl
+directory drwxr-xr-x 0 0 0 'dir-root2'
+mkdir: cannot create directory 'dir-root2/dir': Permission denied
+touch: cannot touch 'dir-root2/dir/file': No such file or directory
+# file: dir-root2
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+default:user::rwx
+default:user:22222:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+mkdir: cannot create directory 'dir-root2/dir': Permission denied
+touch: cannot touch 'dir-root2/dir/file': No such file or directory
+# file: dir-root2
+# owner: root
+# group: root
+user::rwx
+user:22222:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:22222:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+directory drwxrwxr-x 22222 0 4 'dir-root2/dir'
+# file: dir-root2/dir
+# owner: 22222
+# group: root
+user::rwx
+user:22222:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:22222:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+regular empty file -rw-rw-r-- 22222 0 0 'dir-root2/dir/file'
+# file: dir-root2/dir/file
+# owner: 22222
+# group: root
+user::rw-
+user:22222:rwx	#effective:rw-
+group::r-x	#effective:r--
+mask::rw-
+other::r--
+
+== cleanup
diff --git a/tests/sequence b/tests/sequence
index 1d099b85..16e0e465 100644
--- a/tests/sequence
+++ b/tests/sequence
@@ -1,6 +1,7 @@
 export-get-name-parent.sh
 basic-block-counts.sh
 basic-bad-mounts.sh
+basic-posix-acl.sh
 inode-items-updated.sh
 simple-inode-index.sh
 simple-staging.sh
diff --git a/tests/tests/basic-posix-acl.sh b/tests/tests/basic-posix-acl.sh
new file mode 100644
index 00000000..6b1e2064
--- /dev/null
+++ b/tests/tests/basic-posix-acl.sh
@@ -0,0 +1,110 @@
+
+#
+# test basic POSIX acl functionality.
+#
+
+t_require_commands stat rm touch mkdir getfacl setfacl id sudo
+t_require_mounts 2
+
+# from quota.sh
+TEST_UID=22222
+TEST_GID=44444
+
+# sys_setreuid() set fs[uid] to e[ug]id
+SET_UID="--ruid=$TEST_UID --euid=$TEST_UID"
+SET_GID="--rgid=$TEST_GID --egid=$TEST_GID --clear-groups"
+
+# helper to avoid capturing dates from ls output
+L() {
+	stat -c "%F %A %u %g %s %N" $@
+}
+
+echo "== setup test directory"
+cd "$T_D0"
+
+echo "== getfacl"
+L .
+getfacl .
+
+echo "== basic non-acl access through permissions"
+rm -rf dir-testuid
+mkdir dir-testuid
+ln -sf dir-testuid symlinkdir-testuid
+chown root:44444 dir-testuid
+L dir-testuid
+setpriv $SET_UID $SET_GID touch dir-testuid/file-group-write
+setpriv $SET_UID $SET_GID touch symlinkdir-testuid/symlink-file-group-write
+chmod g+w dir-testuid
+setpriv $SET_UID $SET_GID touch dir-testuid/file-group-write
+setpriv $SET_UID $SET_GID touch symlinkdir-testuid/symlink-file-group-write
+L dir-testuid/file-group-write
+L symlinkdir-testuid/symlink-file-group-write
+
+echo "== basic acl access"
+rm -rf dir-root
+mkdir dir-root
+ln -sf dir-root symlinkdir-root
+L dir-root
+setpriv $SET_UID touch dir-root/file-group-write
+setpriv $SET_UID touch symlinkdir-root/file-group-write
+setfacl -m u:22222:rwx dir-root
+getfacl dir-root
+setpriv $SET_UID touch dir-root/file-group-write
+setpriv $SET_UID touch symlinkdir-root/file-group-write
+L dir-root/file-group-write
+L symlinkdir-root/file-group-write
+
+echo "== directory exec"
+setpriv $SET_UID bash -c "cd dir-root && echo Success"
+setpriv $SET_UID bash -c "cd symlinkdir-root && echo Success"
+setfacl -m u:22222:rw dir-root
+getfacl dir-root
+setpriv $SET_UID bash -c "cd dir-root || echo Failed"
+setpriv $SET_UID bash -c "cd symlinkdir-root || echo Failed"
+setfacl -m g:44444:rwx dir-root
+getfacl dir-root
+setpriv $SET_GID bash -c "cd dir-root && echo Success"
+setpriv $SET_GID bash -c "cd symlinkdir-root && echo Success"
+
+echo "== get/set attr"
+rm -rf file-root
+touch file-root
+L file-root
+setpriv $SET_UID getfattr -d file-root
+setpriv $SET_UID setfattr -n "user.test1" -v "Success" file-root
+setpriv $SET_UID getfattr -d file-root
+setfacl -m u:22222:rw file-root
+getfacl file-root
+setpriv $SET_UID setfattr -n "user.test2" -v "Success" file-root
+setpriv $SET_UID getfattr -d file-root
+setfacl -x u:22222 file-root
+getfacl file-root
+setpriv $SET_UID setfattr -n "user.test3" -v "Success" file-root
+setpriv $SET_UID getfattr -d file-root
+setfacl -m g:44444:rw file-root
+getfacl file-root
+setpriv $SET_GID setfattr -n "user.test4" -v "Success" file-root
+setpriv $SET_GID getfattr -d file-root
+
+echo "== inheritance / default acl"
+rm -rf dir-root2
+mkdir dir-root2
+L dir-root2
+setpriv $SET_UID mkdir dir-root2/dir
+setpriv $SET_UID touch dir-root2/dir/file
+setfacl -m d:u:22222:rwx dir-root2
+getfacl dir-root2
+setpriv $SET_UID mkdir dir-root2/dir
+setpriv $SET_UID touch dir-root2/dir/file
+setfacl -m u:22222:rwx dir-root2
+getfacl dir-root2
+setpriv $SET_UID mkdir dir-root2/dir
+setpriv $SET_UID touch dir-root2/dir/file
+L dir-root2/dir
+getfacl dir-root2/dir
+L dir-root2/dir/file
+getfacl dir-root2/dir/file
+
+echo "== cleanup"
+
+t_pass