[Samba] Samba4 - ACL not applied/followed (worked in samba 3.0.11)

Michal Hajek Hajek67 at gmail.com
Wed Nov 27 03:57:15 MST 2013 

Hi.

samba 4.1.1.. User has unix rights for writing, but samba denies write
access to him.

On samba server:
amistest at samba:~$ id
uid=6603(amistest) gid=20(users-nis)
groups=20(users-nis),2108(evis),2109(slp),2112(hernie),2126(poj),2133(hto),20000(users)

-> user amistest is in "poj" group

amistest at samba:~$ ls -ld ACLTEST
drwxrwxr-x+ 2 hrubos vema 4096 Nov 27 11:05 ACLTEST
amistest at samba:~$ getfacl ACLTEST/
# file: ACLTEST
# owner: hrubos
# group: vema
user::rwx
group::rwx
group:poj:rwx
mask::rwx
other::r-x

-> group poj can write in ACLTEST directory

amistest at samba:~$ touch ACLTEST/test
amistest at samba:~$ ls -l ACLTEST
total 4
-rw-rwxr--+ 1 hrubos   poj       0 Nov 27 10:54 POKUS
-rw-r--r--  1 amistest users-nis 0 Nov 27 11:35 test
amistest at samba:~$

-> user amistest can write in ACLTEST directory.

On PC, amistest logged into domain (sorry, it is in Czech):

S:\>dir ACLTEST

 Svazek v jednotce S je amistest.
 Sériové číslo svazku je EE7A-B776.

 Výpis adresáře S:\ACLTEST

27.11.2013  11:03    <DIR>          .
04.11.2013  09:52    <DIR>          ..
27.11.2013  10:54                 0 POKUS
27.11.2013  11:35                 0 test
               2 souborů,              0 bajtů
           Adresářů:     2,   Volných bajtů:    200 429 568

-> user amistest sees ACLTEST directory


S:\>net group /domain poj
Požadavek bude zpracován na primárním řadiči domény NIS.

Název skupiny     poj
Komentář

Členové

-----------------------------------------------------------------------
amistest             .....

Příkaz byl úspěšně dokončen.

-> user amistest in in "poj" group (seen from pc)


S:\>mkdir ACLTEST\testdir
Přístup byl odepřen.

-> user amistest can NOT write into the directory.

Homes section of smb.conf:

[homes]
        comment = Home Directories
        path = /home/%u
        read only = No
        create mask = 0700
        directory mask = 0700
        inherit acls = Yes
        browseable = No
        root preexec = /usr/local/bin/RPE '%u' 'HOMESHARE'

The same configuration worked in samba 3.0.11.

The questions are:
- how to check that samba 4.1.1 was compiled with acl support (I know it is
default, but...)?
- which parameter for samba 4.1.1 am I missing?

Thanks, Michal

More information about the samba mailing list