ACL + excel = problems with permissions

[sylvain.david at etranges-libellules.fr]

Hi I have the same problem, and I hope you'll have the time to answer me.

My system is :
Debian Sarge (stable) + samba Version 3.0.14a-Debian + ext3 acl enabled
my smb.conf is joined in this email
my client are under windows XP SP1, windows XP SP2, windows 2000 SP4.
They all use Office Xp 2003 (I'm lucky, they didn't have a lot of 
version of office...)

Description of the problem : Office modify ACLs on saving file and put 
read only.

- ACL status before : getfacal  file01.xls :
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:Projet_01:rwx
mask::rwx
other::---

- user A, wich is in Projet_01 group, open file01.xls with excel 2003 
and press ctrl S to save his modification. he get an error message : 
share violation : file is stored, but re-open read only
- ACL status : getfacl file01.xls :
# owner: userA
# group: root
user::r--
user:root:rwx
user:reunion:rwx
group::---
group:Projet_01:rwx
mask::rwx
other::---

I noticed that :
- user can through the security properties of the file get back the good 
rights rwx. but... my users find that boring and they're right.
- if user have explicit rwx right on the file, even if he's not the 
owner, there is no problem.
- this doesn't appened on windows 2000 server
- force create mode or create mask seems to change nothing.

So, this appened when a user modify a file that he's not the owner AND 
he don't have explicit rights AND with a microsoft office application.

I think about a few solution, but i find all of them "dirty". Here they 
are :
1) using open office.
  -> If I could, I surely do it, but, I need time to convert 60 people 
loving excel and word to calc and writer. Even if they are all 
programmers, trying to change habits is really hard. We exchange 
documentation with other society which use ... ... excel, so for 
compatibility reasons, we need excel. So even if it's a good solution, 
it's hard to choose this solution. And... what if i noticed this problem 
with another application ? This solution doesn't solve the problem at 
the server side, but only in client side...

2) using a file monitor.
 -> using gamin or any other file monitor to watch .xls and .doc file. 
if a file is touched then apply the good rights (with the default right 
of the parent directory...) This solution is dirty because my server 
contain, a very very very lot of file, and I think it's a bottleneck 
solution parsing all directories all the time. And, in real situation, 
the error message of excel will appear anyway, because of the timing.

3) hack samba code and add a trigger on write file, to execute a script 
wich force to set the good ACL?
-> probably a bottleneck solution... but... the best for me... but, I 
don't have the level to code it.

4) use the "force user" argument in smb.conf
-> it works. but... loosing the owner notion of the whole file system is 
a desperate solution.

5) use explicit user rights on every files.
-> it works too. but it remove all the magic of using group. And for now 
I have "only" 60 users... and what will I do with 200 ?

6) is there any office patch or registry key or office config, or voodoo 
danse to do in order to repair the special way of save of microsoft office ?
-> i found nothing on my friend google.

7) sending an email and pray you'll answer me something like : "I found 
an evident solution and here it is" :)
-> I'm praying

-- 
Sylvain DAVID / administrateur réseau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(°)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --