Inconsistent behaviour with Posix ACL between Win2K and Samba 3

Nicholas Drouet nick_drouet at uk.ibm.com
Wed Dec 17 16:04:58 GMT 2003





This is my scenario.


On my Windows 2000 server...

I create a folder called share1
I share this as share1
On the Security tab -
I remove the Everyone permission (requiring the uncheck Allow Inheritable
Permissions checkbox)

Add UKAD\Domain Admins Full Control
Add UKAD\Group1 Full Control

Log onto client in domain (Win XP)
I map a drive to the share created above
I create a folder in the mapped drive

The permissions on the new folder are

UKAD\Domain Admins FC
UKAD\Group 1      FC
Owner of file is user1 at ukad.drouet.co.uk

This is as expected.

On Linux server

mkdir /share1
chmod 770 share1

This gives a directory as below.

drwxrwx---    2 root     root         4096 Dec 17 15:31 share1

I want this to be owned by UKAD\Domain Admins so...

chgrp "UKAD+Domain Admins" share1

to give the following

drwxrwx---    2 root     UKAD+Domain Admins     4096 Dec 17 15:31 share1

I'll need to set some POSIX ACLs to allow my user in UKAD\Group 1 to have
access to this directory

# file: .
# owner: root
# group: UKAD+Domain Admins
user::rwx
group::rwx
other::---

This has no default ACL so I'll add domain admins as a default acl for this
directory

sles:/share1 # setfacl -m "default:g:UKAD+Domain Admins:rwx" .
sles:/share1 # getfacl .
# file: .
# owner: root
# group: UKAD+Domain Admins
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:UKAD+Domain Admins:rwx
default:mask::rwx
default:other::---

sles:/share1 # setfacl -m g:UKAD+Group1:rwx .
sles:/share1 # getfacl .
# file: .
# owner: root
# group: UKAD+Domain Admins
user::rwx
group::rwx
group:UKAD+Group1:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:UKAD+Domain Admins:rwx
default:mask::rwx
default:other::---

Now I create the share in smb.conf

[share1]
        path = /share1
        browseable = no
        read only = no
        inherit acls = yes
        inherit permissions = yes
        create mask = 700
        directory mask = 700

Now I map a drive from my client

net use * \\sles\share1

I create a file in my mapped drive and check the permissions

I get

UKAD\Domain Admins            FC
UKAD\Domain Users       FC
user1 at ukad.drouet.co.uk       FC
Everyone                None

>From what I can see, the POSIX Default Group (as shown in MMC) is being
added as the group owner:

sles:/share1 # getfacl New\ Text\ Document.txt
# file: New Text Document.txt
# owner: UKAD.DROUET.CO.UK+user1
# group: UKAD+Domain Users
user::rwx
group::rwx
group:UKAD+Domain Admins:rwx
mask::rwx
other::---

and the Domain Admins group has been shunted to an ACL on the file. This is
different behaviour
to Windows, where additional domain groups aren't added to files - the
permissions on the
parent directory are inherited.

This will cause a problem in enterprise environments where a large number
of users will be in
Domain Users, potentially giving them access to files they shouldn't...

If I set the SUID bit on the directory for the group to force ownership to
Domain Admins (as
happens under Windows where Domain Admins normally have access to all files
on a server), the POSIX
default group is added as an additional ACL (again this is not as expected
on Windows)

What would be required here would be for the default POSIX group not to be
added to the ACL for a
file or directory i.e. only inherit what is explicitly set on the parent
folder.


The config for this server is as follows:

SUSE SLES 8
Samba 3.0.0
ADS mode, using Heimdal 0.6-latestsnapshot talking to a Win2k Active
Directory.

Regards,

Nick Drouet
Senior Technical Specialist
IBM Global Services
IBM Technical Council Member

please reply to nick_drouet at uk.ibm.com




More information about the samba-technical mailing list