[Samba] Inheritance of ACLs with Samba
Miguel Medalha
miguelmedalha at sapo.pt
Thu Nov 27 21:36:46 GMT 2008
Hello dear list members
I am not an experienced user of Samba, so I can be committing some basic
mistake, but it seems to me that there is something wrong with the way
Samba propagates ACLs. I tried versions 3.0.32 and 3.2.4 and the result
is the same. This happens with "map acl inherit = yes" on smb.conf.
I have a directory (dir) with the following ACLs:
# file: dir
USER Admin rwx rwx
user Pencil r-x r-x
user Admin rwx rwx
GROUP Admins rwx rwx
group Admins rwx rwx
group Designers r-x r-x
mask rwx rwx
other --- ---
These ACLs appear under the "Advanced" tab of Windows XP ACL Editor as
(for the sake of clarity I will ommit CREATOR OWNER and CREATOR GROUP,
which always get "Full Control" on "Subfolders and Files Only":
Type Name Permission Inherited from Apply to
---------------------------------------------------------------------------------------
Allow Admin Full Control <not inherited> This
folder, subfolders and files
Allow Admins Full Control <not inherited> This
folder, subfolders and files
Allow Everyone None <not inherited> This
folder, subfolders and files
Allow Pencil Read & Execute <not inherited> This
folder, subfolders and files
Allow Designers Read & Execute <not inherited> This
folder, subfolders and files
I now create "subdir1" inside "dir" and this is what I get:
Type Name Permission Inherited from Apply to
---------------------------------------------------------------------------------------
Allow Admin Full Control \\testserver\admin\dir This
folder, subfolders and files
Allow Admins Full Control \\testserver\admin\dir This
folder, subfolders and files
Allow Admins Full Control <not inherited> This
folder only
Allow Everyone None <not inherited> This
folder, subfolders and files
Allow Pencil Read & Execute \\testserver\admin\dir This
folder, subfolders and files
Allow Designers Read & Execute \\testserver\admin\dir This
folder, subfolders and files
There is now a duplicated entry for the owner group "Admins", *and
always only for that group*, which applies to "This folder only". A
"subdir2" inside "subdir1" will receive these same ACLs, and so on. A
new created file will receive two "Full Control" ACLs for Admin, one
inherited from \\testserver\admin\dir and one "not inherited", as follows:
Type Name Permission Inherited from
-----------------------------------------------------------
Allow Admin Full Control \\testserver\admin\dir
Allow Admins Full Control \\testserver\admin\dir
Allow Admins Full Control <not inherited>
Allow Everyone None <not inherited>
Allow Pencil Read & Execute \\testserver\admin\dir
Allow Designers Read & Execute \\testserver\admin\dir
If I turn off ""map acl inherit" the duplication disappears and
inheritance works as intended (from the default ACLs), although Windows
ACL editor will report the ACLs as "not inherited".
I tried all possible combinations of ACLs with getfacl and the behaviour
of the Owner Group is always different from the other entries.
The [global] section of my test smb.conf contains the following:
server string =
workgroup = test
os level = 33
interfaces = 127.0.0.1 eth0
encrypt passwords = yes
passdb backend = tdbsam:/etc/samba/passdb.tdb
bind interfaces only = true
security = user
inherit acls = Yes
map acl inherit = Yes
acl group control = Yes
store dos attributes = Yes
map hidden = No
map system = No
map archive = No
map readonly = No
dos filemode = Yes
Is anyone else encountering this problem or am I committing some obvious
error?
I would have a lot more to say about the way inheritance works (or
doesn't work) from the Windows ACL editor, but that would make this a
very long message...
I can't wait until Samba gets a proper Windows ACL implementation
(through the VFS?) and we get done with this POSIX ACL thing (which by
the way is not even a ratified standard...).
It would be great to hear some comment on this from the members of the
list or any of the samba developers who can spare a minute.
A big thank you to all of the Samba team!
More information about the samba
mailing list