AW: Problems with samba 2.2.2

jtrostel at snapserver.com jtrostel at snapserver.com
Thu Oct 25 07:22:04 GMT 2001 

Guten Tag! (Ich kanne ein bischen deutsch)

On 25-Oct-2001 Jörg Hänsel wrote:
> Hello (Hallo),
> thanks for your quick help. As you wrote I tried to be more precise.
> 
>> > I rebuilt the packages acl, acl-dev from oss.sgi.com and samba as debian
>> > packages.
>> > The ACLs and XFS seem work fine and pretty fast.
>>
>> This means that you can use 'chacl', 'getfacl', and 'setfacl'
>> correctly on an
>> XFS filesystem?
>>
> I have not much experience using ACLs but I tried some examples I found in
> different documents and they worked. I tested the behavior of writing to
> files and directories with different users.


Good.... first step is successful!
 
>> User manager for domains is running on the NT server.  I'm not
>> sure how it is
>> supposed to know about the groups you have assigned on the Samba
>> server. Does
>> 'getent group' show this user in your LOCAl 'smbdomadm' group?
> 
> You can run User manager for domains on a NT Workstation as well. I thought
> that it is just like a frontend for specific RPC on the PDC. Since I listed
> "smbdomadm" in the "domain admin group" param in smb.conf I expect smbdomadm
> to be a GLOBAL group in my domain. (Sure, on the samba server it is local.)
> So the user "haenseladmin" is definitly member of the local unix group
> "smbdomadm" and of the global  nt-group "smbdomadm".
> I hope I understood the difference between local and global groups in NT
> Domains.

Hmmm.... I'm sure not the one to ask about this. Seems like the user would only
be in the local unix group smbdomadm.  Is the Samba server also acting as the
domain PDC? Then I can see the members of that group being in the global
"Domain Admins" group.
 
>> > ACLs do not work:
>> > -----------------
>> > When I use the ACL capable versions of samba the file security
>> dialog under
>> > Windows NT does not show the correct ACLs.
>> > I use Default ACLs. Perhaps this causes problems under windows NT.
>>
>> Please be more specific in how this is failing.  Are you setting
>> ACLs in Samba
>> that are not reflected when you try 'getfacl'?  Are you setting ACLs under
>> Linux that are not reflected when you look at them through the NT security
>> dialog?  What is the ACL set for your directory?  What is the
>> umask set as?

This is where it is interesting (and I think I can explain what's happening)
(It looks like it is doing 'the right thing')
 
> An example:
> I am loggeg in at the samba server as "haenseladm" with following
> environment:
> unix umask 077
> umask of samba share: create mask=0600, directory mask: 0700
> groups: haenseladm (primary), smbdomadm (2nd)

What is the default ACL on the directory which represents the share?
 
> 1.) create a file in home
> 
> haenseladmin at reno:~$ touch test
> haenseladmin at reno:~$ ls -l
> total 0
> -rw-------    1 haensela haensela        0 Oct 25 12:30 test

OK... it created the file as would be expected.

> haenseladmin at reno:~$ getfacl test
># file: test
># owner: haenseladmin
># group: haenseladmin
> user::rw-
> group::---
> other::---

And the ACLs reflect this. (What does 'chacl -l test say?) 

> 
> 2.) logged in at a Windows NT Client as haenseladm:
> The Seccurity Dialog in Windows Explorer says for the file "test":
> Everyone                (O) (take ownership) ???
> group haenseladmin      (O) ???
> haenseladmin            (RW) OK.

Yes... Samba is 'overloading' the 'take ownership' bit in NT to represent the
no permissions '---' in group and other.  'Take ownership' permission is not
supported in 'normal' linux/XFS.  

> When I close the dialog with OK and list the file under unix I get the
> following:
> haenseladmin at reno:~$ ls -l test
> -rw-rwx---    1 haensela haensela        0 Oct 25 12:30 test
> haenseladmin at reno:~$ getfacl test
># file: test
># owner: haenseladmin
># group: haenseladmin
> user::rw-
> group::---
> other::---
> mask::rwx

The 'ls -l' and the 'getfacl' results agree with one another.  The mask ACL
does get reset to 'rwx' by Samba.  If a 'mask' ACL exists, it becomes the
'normal' group permission, if it doesn't exist, the group ACL functions as you
would 'expect'.  It's in the posix ACL specification. (And it's confusing)
 
> So suddenly the mask appears ! I am new to ACLs so I  perhaps I understodd
> something wrong. I dont understand why the group is rwx with --- and mask
> rwx. I thougt that the mask is just for restricting group ownerships in die
> Access Control List and its Bits are ANDed to the group Bits and so the
> corresponding List should be:
> -rw-------    1 haensela haensela        0 Oct 25 12:30 test


The permissions specified by the file class group permission bits correspond
to the permissions associated with the GROUP_OBJ entry if no MASK entry exists,
or with the MASK entry if the ACL contains a MASK entry.

> 3.) Again open the security dialog (Windows NT) and remove everyone and
> change permission of user/group "haenseladm" to full.
> 
> Result:
> haenseladmin at reno:~$ ls -l
> total 4
> -rwxrwx---    1 haensela haensela        0 Oct 25 12:30 test
> haenseladmin at reno:~$ getfacl test
># file: test
># owner: haenseladmin
># group: haenseladmin
> other::---
> user::rwx
> group::rwx
> mask::rwx
> 
> That seem to be OK.

Yes... although the 'ls -l' permissions are really reflecting

        rwx     rwx     ---
      owner    mask   other

> 4.) under unix:
> haenseladmin at reno:~$ su
> Password:
> reno:/home/haenseladmin# groupadd sambatest
> reno:/home/haenseladmin# usermod -G smbdomadm,sambatest haenseladmin
> reno:/home/haenseladmin# exit
> 
> 5.) Logging in again as haenseladmin
> haenseladmin at reno:~$ groups
> haenseladmin smbdomadm sambatest
> 
> 6.) At the NT Client:
> Add group "sambatest" with full access to the ACL of file "test"
> 
> 7.) At Unix:
> haenseladmin at reno:~$ getfacl test
># file: test
># owner: haenseladmin
># group: haenseladmin
> group:sambatest:rwx
> group::rwx
> user::rwx
> other::---
> mask::rwx
> 
> Seem to work as well.

That's good, it's adding in the supplemental groups without problem.
 
> I will do some other tests. After the initial errors are fixed the ACL seem
> to work. But the NT ACL - Posix ACL mapping when creating a file seems to
> fail.

It's really working, except for the automatic creation of the mask by Samba. 
There's a reason for that.... I just don't remember why it was deemed necessary
right now.

> Thanks a lot,
> Joerg

Sure...

-- 
John M. Trostel
Senior Software Engineer
Quantum Corp. / NASD
jtrostel at snapserver.com

More information about the samba-ntdom mailing list