[Samba] samba 3.0.22 default ACL issue

simo idra at samba.org
Wed Jul 12 15:30:13 GMT 2006 

Sylvain if I understand your problem correctly, you are getting problems
with a Windows "feature".

IIRC what happens is that when you copy a directory windows also changes
the ACLs to match that on it's own filesystem (if it recognizes that the
user belongs to the domain).

I don't think this is a samba problem.

Simo.

On Wed, 2006-07-12 at 17:12 +0200, sylvain.david at etranges-libellules.fr
wrote:
> Hi,
> 
> I sent an email on the mailing list of bestsbits 
> (http://acl.bestbits.at/pipermail/acl-devel/2006-July/001980.html) 
> because if nobody answer on this mailing list , it's probably directly 
> linked to ACLs?
> But, I really don't know if the problem is only with bestsbits or only 
> with samba because I can reproduce the bug only in samba, not in 
> console. So this bug seems to be linked to samba ?
> 
> Am I the only one who would like to use ACLs ? Are there any other 
> solution to have a fine grained access rules which works with samba? 
> (like trustees)
> because if default ACLs don't works, I think using ACLs is a no sense.
> 
> For the while - hopping sometime this bug will be fix -  I use a dirty 
> script run by cron which check & fix ACLs.
> I know it's dirty... but I have I any other choice ?
> 
> I give up with this mistery. I'm too tired.
> 
> sylvain.david at etranges-libellules.fr a écrit :
> > Hi,
> >
> > I use samba 3.0.22 as PDC on Debian with workstations under windows XP 
> > SP1 and SP2.
> > I use ACLs to have a fine grained access rules.
> >
> > When I copy a directory from a client to a samba share, default ACLs 
> > are forgiven.
> > exemple : after I copy the directory A on the samba share :
> > getfacl A/
> > # file: A/
> > # owner: user1
> > # group: sambausers
> > user::rwx
> > group::---
> > other::---
> > default:user::rwx
> > default:group::---
> > default:other::---
> >
> > But the parent directory has default ACLs, I can prove it :
> > getfacl .
> > # file: .
> > # owner: user1
> > # group: sambausers
> > user::rwx
> > user:root:rwx
> > user:bacula:r-x
> > group::---
> > group:sambaguests:rwx
> > group:User_Standard:rwx
> > group:User_Lead:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:bacula:r-x
> > default:group::---
> > default:group:sambaguests:rwx
> > default:group:User_Standard:rwx
> > default:group:User_Lead:rwx
> > default:mask::rwx
> > default:other::---
> >
> > Is it a bug ? because default ACLs are applied if I copy files. So Why 
> > different behavior between directory and files ?
> > I noticed that it happened only to local directories which belong to 
> > MYDOMAIN\user.  If the owner of the local directory is 
> > LOCALCOMPUTER\user the default ACLs is applied correctly. But once 
> > again, it concerns only directory. When the file belong to 
> > MYDOMAIN\user ACLs are applied correctly.
> >
> > All what I want is that default ACLs are applied all the time whatever 
> > the owner of local directory.
> >
> > I try to play with "directory security mask", "force directory 
> > security mode", inherit permissions without success.
> > Thank you for your help, I really don't know what to do.
> >
> > My smb.conf looks like that :
> >
> > # 
> > ----------------------------------------------------------------------------- 
> >
> > # Global parameters
> > # 
> > ----------------------------------------------------------------------------- 
> >
> > [global]
> >        dos charset = 850
> >        unix charset = ISO8859-1
> >        workgroup = elb-lyon
> >        netbios name = server02
> >        server string = server02.elb-lyon
> >        os level = 65
> >        domain logons = Yes
> >        domain master = Yes
> >        local master = Yes
> >        preferred master = Yes
> >        wins support = Yes
> >
> >        obey pam restrictions = Yes
> >        passdb backend = tdbsam, guest
> >        passwd program = /usr/bin/passwd %u
> >        passwd chat = *New*UNIX*password* %n\n 
> > *ReType*new*UNIX*password* %n\n 
> > *passwd:*all*authentication*tokens*updated*successfully*
> >        passwd chat debug = Yes
> >        pam password change = Yes
> >        unix password sync = Yes
> >
> >        syslog = 0
> >        log level = 2
> >        # log level max = 10
> >        log file = /var/log/samba/log.%m
> >        max log size = 25600
> >        dns proxy = No
> >        panic action = /usr/share/samba/panic-action %d
> >        invalid users = root2
> >
> >        # paramètres samba utilisateur par defaut
> >        logon drive = P:
> >        logon home = \\server02\%U
> >        logon path = \\server02\profiles\%U
> >        logon script = %U.cmd
> >
> >        # gestion des comptes posix automatique :)
> >        # Gestion des comptes POSIX
> >        add machine script = /usr/sbin/useradd -g sambamachines -c 
> > Machine -d /dev/null -s /bin/false '%u'
> >        add user script = /usr/sbin/useradd -g sambausers -c 
> > Utilisateur -d /dev/null -s /bin/false '%u'
> >        add group script = /usr/sbin/groupadd '%g'
> >        add user to group script = /usr/bin/gpasswd -a '%u' '%g'
> >        delete user script = /usr/sbin/userdel -r '%u'
> >        delete group script = /usr/sbin/groupdel '%g'
> >        delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
> >        set primary group script = /usr/sbin/usermod -g '%g' '%u'
> >
> >        veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
> >
> >        guest account = guest
> >
> >        hosts allow = 192.168.0. 127.
> >
> > # 
> > ----------------------------------------------------------------------------- 
> >
> > # Necessaire Domaine
> > # 
> > ----------------------------------------------------------------------------- 
> >
> > [homes]
> >        path = /mnt/SAN01/vd3_home2/home2/%u
> >        comment = Home Directories
> >        valid users = %S
> >        guest ok = No
> >        writable = Yes
> >        create mask = 0700
> >        directory mask = 0700
> >        browseable = No
> >
> > [netlogon]
> >        path = /mnt/SAN01/vd3_home2/netlogon
> >        comment = Partage NetLogon
> >        valid users = @sambausers @sambaguests root
> >        guest ok = No
> >        read only = Yes
> >        browseable = No
> >
> > [profiles]
> >        path = /mnt/SAN01/vd3_home2/profiles
> >        comment = Profils utilisateurs
> >        valid users = @sambausers @sambaguests root
> >        guest ok = No
> >        writable = Yes
> >        create mode = 0700
> >        browseable = No
> >
> > # 
> > ----------------------------------------------------------------------------- 
> >
> > # Partages
> > # 
> > ----------------------------------------------------------------------------- 
> >
> > [vd1_echange]
> >        comment = Zone d'echange.
> >        path = /mnt/SAN01/vd1_echange
> >        valid users = root @sambaadmins @sambaguests @User_Standard
> >        guest ok = No
> >        writable = Yes
> >        create mask = 0770
> >        directory mask = 0770
> >        browseable = yes
> >        # inherit permissions = yes
> >        inherit acls = yes
> >        hide unreadable = Yes
> >        # directory security mask = 0000
> >        # force directory security mode = 0777
> >
> >
> >
> 
> -- 
> Sylvain DAVID / administrateur réseau
> 
>          adr : Etranges Libellules
>   .~.          17 Rue des Archers
>   /v\          69002 LYON
>  /(°)\   tel : 04 72 40 24 72
>  ^^-^^   fax : 04 72 40 27 19
> 
>   www.etranges-libellules.fr
>                                    --
> 
-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba mailing list