[Samba] 3.0.24 and disappearing ACL entries

Aaron Kincer kincera at gmail.com
Mon May 7 15:28:25 GMT 2007 

I figured it out in general over the weekend. I didn't have all the 
right smb.conf entries. Somehow they were removed. I think SWAT did it. 
I won't be using it anymore as a result. I'm sure there's good logic 
behind it removing smb.conf entries, but I'm not going to try to parse 
them out. I'll use vi and avoid it assuming it knows something I don't.

These are the settings I had to add back in to fix it:

[global]

kernel oplocks = yes
client use spnego = yes
server signing = auto
disable netbios = no
netbios name = <your_server_shortname>
announce as = NT Server
announce version = 4.9
browse list = yes
force create mode = 0760
nt acl support = yes
client signing = auto

I'm not sure which combination of these is the magic bullet. Some of 
these settings may be superfluous and/or unnecessary. I just noticed 
they were missing and added them back in and suddenly -- voila! On my 
list of things to do is test and see which ones are the culprit.

Here's how it works--

Before user1 modification:

owner: user2:rwx
group: somedomaingroup:rwx
faclgroup: domain users:rwx

After user1 modification:

owner: user1:rwx
group: domain users:rwx
faclgroup: somedomaingroup:rwx

After user2 modifies it after user1:

owner: user2:rwx
group: somedomaingroup:rwx
faclgroup: domain users:rwx

The key (I believe) is that somedomaingroup is user2's primary group. It 
seems that Samba is swapping out group ownership between the POSIX ACL 
and the file system ACL and changing owners. Kind of strange, but if it 
works, I'm not overly concerned. But this is where the wheels were 
coming off as best I can tell. The swap wasn't completely working and 
the POSIX ACLs weren't being updated with the old group information. 
They were simply being removed.

Anyone else out there got any input?


Carlos Eduardo Pedroza Santiviago wrote:
> Hi,
>
> On 5/1/07, Aaron Kincer <kincera at gmail.com> wrote:
>> I've been working at this for a few days now and I can't figure out what
>> is broken. Google turns up similar issues from years back, but I hope
>> this is a bug resurfacing. ACL entries are being deleted when files are
>> saved. Here is an example:
>>
>
> Any info on this? I'm having similar problems, when a user with the M$
> Suite saves his files.
>
> $ getfacl *
> # file: teste.doc
> # owner: cadu
> # group: XXXEMP
> user::rwx
> group::rwx
> group:XXXAED:rwx
> group:XXXEXT:r-x
> group:XXXGES:rwx
> mask::rwx
> other::---
>
> # file: teste.ods
> # owner: cadu
> # group: XXXEMP
> user::rwx
> group::rwx
> group:XXXAED:rwx
> group:XXXEMP:rwx
> group:XXXEXT:r-x
> group:XXXGES:rwx
> mask::rwx
> other::---
>
> After saving file "teste.doc", it removed the ACL for the EMP group.
> That didn't happen when i saved "teste.ods", using OpenOffice suite.
>

More information about the samba mailing list