[Samba] Samba PDC + ACL : default ACLs ignored on directory

sylvain.david at etranges-libellules.fr sylvain.david at etranges-libellules.fr
Thu Jun 29 07:57:59 GMT 2006


Hi all,

I use Debian Sarge and Samba 3.0.22 with ACLs. The server is a PDC. I 
have about 70 clients workstation running both Windows XP SP1 and SP2.

All works pretty good, all but the directory copy, wich forget ACLs in a 
particular case :
When a client copy a local directory on a samba share, the defaults ACLs 
aren't applied. But this problem comes only when the client local 
directory owner is DOMAIN\USER. If the client local directory owner is 
LOCALPC\USER, the default ACLs are applied during the copy.
In fact I wonder if this is the normal behavior of Samba : if the owner 
is the domain user, perhaps samba try to copy the ACLs with the file? 
But that's not what I want samba does. I would like that the only the 
default ACLs to be applied. And the things which makes me think that 
it's a bug, is that this behavior is not appening on a file copy : a 
local file owner DOMAIN\USER copied on a samba share gets the default 
ACLs of the directory in which they are copied.

So, I think I have 3 solutions :
- create all the group and all users on all the workstations, and then 
sets the local security correctly on every workstation directory tree. 
but this is impossible because i'm alone to manage all the workstation, 
and new users are created and old deleted every month
- make a script watching the ACLs on the server. But this is dirty...
- Hope there's a solution in configuration or a patch. I tried "security 
mask" and "directory security mode" to prevent user from modifying ACLs, 
it works, but only on POSIX and the default ACLs are still forget. 
inherit permission is neither the solution.

In fact the dream solution is a way wich makes the samba behavior 
totally ignoring local security and applying the server security. But how ?

Here's my smb.conf :

# 
-----------------------------------------------------------------------------
# Global parameters
# 
-----------------------------------------------------------------------------
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = elb-lyon
        netbios name = server02
        server string = server02.elb-lyon
        os level = 65
        domain logons = Yes
        domain master = Yes
        local master = Yes
        preferred master = Yes
        wins support = Yes

        obey pam restrictions = Yes
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n 
*ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
        passwd chat debug = Yes
        pam password change = Yes
        unix password sync = Yes

        syslog = 0
        log level = 2
        # log level max = 10
        log file = /var/log/samba/log.%m
        max log size = 25600
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        invalid users = root2

        # paramètres samba utilisateur par defaut
        logon drive = P:
        logon home = \\server02\%U
        logon path = \\server02\profiles\%U
        logon script = %U.cmd

        # gestion des comptes posix automatique :)
        # Gestion des comptes POSIX
        add machine script = /usr/sbin/useradd -g sambamachines -c 
Machine -d /dev/null -s /bin/false '%u'
        add user script = /usr/sbin/useradd -g sambausers -c Utilisateur 
-d /dev/null -s /bin/false '%u'
        add group script = /usr/sbin/groupadd '%g'
        add user to group script = /usr/bin/gpasswd -a '%u' '%g'
        delete user script = /usr/sbin/userdel -r '%u'
        delete group script = /usr/sbin/groupdel '%g'
        delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
        set primary group script = /usr/sbin/usermod -g '%g' '%u'

        veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/

        guest account = guest

        hosts allow = 192.168.0. 127.

# 
-----------------------------------------------------------------------------
# Necessaire Domaine
# 
-----------------------------------------------------------------------------
[homes]
        path = /mnt/SAN01/vd3_home2/home2/%u
        comment = Home Directories
        valid users = %S
        guest ok = No
        writable = Yes
        create mask = 0700
        directory mask = 0700
        browseable = No

[netlogon]
        path = /mnt/SAN01/vd3_home2/netlogon
        comment = Partage NetLogon
        valid users = @sambausers @sambaguests root
        guest ok = No
        read only = Yes
        browseable = No

[profiles]
        path = /mnt/SAN01/vd3_home2/profiles
        comment = Profils utilisateurs
        valid users = @sambausers @sambaguests root
        guest ok = No
        writable = Yes
        create mode = 0700
        browseable = No

# 
-----------------------------------------------------------------------------
# Imprimantes
# 
-----------------------------------------------------------------------------
[printers]
        path = /tmp
        comment = All printers
        valid users = @sambausers
        guest ok = No
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

# 
-----------------------------------------------------------------------------
# Partages :)
# 
-----------------------------------------------------------------------------
[vd1_echange]
        comment = Zone d'echange interne et FTP Pantin.
        path = /mnt/SAN01/vd1_echange
        valid users = root @sambaadmins @sambaguests @User_Standard
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = yes
        inherit acls = yes
        hide unreadable = Yes
        # directory security mask = 0000
        # force directory security mode = 0777

[vd2_gestion]
        comment = Administration, compta, gestion.
        path = /mnt/SAN01/vd2_gestion
        valid users = root @sambaadmins @Gestion_Level0, 
@Gestion_Level1, @Gestion_Level2, @Gestion_Level3
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit acls = yes
        hide unreadable = Yes

[vd3_home2]
        comment = Dossiers privés
        path = /mnt/SAN01/vd3_home2
        valid users = root @sambaadmins
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit acls = yes
        hide unreadable = Yes
        csc policy = disable

[vd4_archive]
        comment = Archives Design, Develop, Graphisme, Logiciels
        path = /mnt/SAN01/vd4_archive
        valid users = root @sambaadmins @User_Standard, 
@Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit acls = yes
        hide unreadable = Yes

[vd5_projet]
        comment = Les Projets
        path = /mnt/SAN01/vd5_projet
        valid users = root @sambaadmins @Projet_one @Projet_two 
@Projet_three @Projet_four
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit acls = yes
        hide unreadable = Yes

[vd6_backup]
        comment = Backups [reservé admin]
        path = /mnt/SAN01/vd6_backup
        valid users = root @sambaadmins
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit acls = yes
        hide unreadable = Yes

[vd7_video]
        comment = Montages Videos
        path = /mnt/SAN01/vd7_video
        valid users = root @sambaadmins @User_MontageVideo
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit acls = yes
        hide unreadable = Yes


-- 
Sylvain DAVID / administrateur réseau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(°)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --



More information about the samba mailing list