ACL + excel = problems with permissions

sylvain.david at etranges-libellules.fr sylvain.david at etranges-libellules.fr
Mon Jun 19 16:49:21 GMT 2006


> Hi I have the same problem, and I hope you'll have the time to answer me.
>
> My system is :
> Debian Sarge (stable) + samba Version 3.0.14a-Debian + ext3 acl enabled
> my smb.conf is joined in this email
> my client are under windows XP SP1, windows XP SP2, windows 2000 SP4.
> They all use Office Xp 2003 (I'm lucky, they didn't have a lot of 
> version of office...)
>
> Description of the problem : Office modify ACLs on saving file and put 
> read only.
>
> - ACL status before : getfacal  file01.xls :
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:Projet_01:rwx
> mask::rwx
> other::---
>
> - user A, wich is in Projet_01 group, open file01.xls with excel 2003 
> and press ctrl S to save his modification. he get an error message : 
> share violation : file is stored, but re-open read only
> - ACL status : getfacl file01.xls :
> # owner: userA
> # group: root
> user::r--
> user:root:rwx
> user:reunion:rwx
> group::---
> group:Projet_01:rwx
> mask::rwx
> other::---
>
> I noticed that :
> - user can through the security properties of the file get back the 
> good rights rwx. but... my users find that boring and they're right.
> - if user have explicit rwx right on the file, even if he's not the 
> owner, there is no problem.
> - this doesn't appened on windows 2000 server
> - force create mode or create mask seems to change nothing.
>
> So, this appened when a user modify a file that he's not the owner AND 
> he don't have explicit rights AND with a microsoft office application.
>
> I think about a few solution, but i find all of them "dirty". Here 
> they are :
> 1) using open office.
>  -> If I could, I surely do it, but, I need time to convert 60 people 
> loving excel and word to calc and writer. Even if they are all 
> programmers, trying to change habits is really hard. We exchange 
> documentation with other society which use ... ... excel, so for 
> compatibility reasons, we need excel. So even if it's a good solution, 
> it's hard to choose this solution. And... what if i noticed this 
> problem with another application ? This solution doesn't solve the 
> problem at the server side, but only in client side...
>
> 2) using a file monitor.
> -> using gamin or any other file monitor to watch .xls and .doc file. 
> if a file is touched then apply the good rights (with the default 
> right of the parent directory...) This solution is dirty because my 
> server contain, a very very very lot of file, and I think it's a 
> bottleneck solution parsing all directories all the time. And, in real 
> situation, the error message of excel will appear anyway, because of 
> the timing.
>
> 3) hack samba code and add a trigger on write file, to execute a 
> script wich force to set the good ACL?
> -> probably a bottleneck solution... but... the best for me... but, I 
> don't have the level to code it.
>
> 4) use the "force user" argument in smb.conf
> -> it works. but... loosing the owner notion of the whole file system 
> is a desperate solution.
>
> 5) use explicit user rights on every files.
> -> it works too. but it remove all the magic of using group. And for 
> now I have "only" 60 users... and what will I do with 200 ?
>
> 6) is there any office patch or registry key or office config, or 
> voodoo danse to do in order to repair the special way of save of 
> microsoft office ?
> -> i found nothing on my friend google.
>
> 7) sending an email and pray you'll answer me something like : "I 
> found an evident solution and here it is" :)
> -> I'm praying
>
Sorry I forget my smb.conf... Here he is.

# 
-----------------------------------------------------------------------------
# Global parameters
# 
-----------------------------------------------------------------------------
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = elb-lyon
        netbios name = server02
        server string = server02.elb-lyon
        os level = 65
        domain logons = Yes
        domain master = Yes
        local master = Yes
        preferred master = Yes
        wins support = Yes

        obey pam restrictions = Yes
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n 
*ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
        passwd chat debug = Yes
        pam password change = Yes
        unix password sync = Yes

        syslog = 0
        log level = 2
        # log level max = 10
        log file = /var/log/samba/log.%m
        max log size = 10000
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        invalid users = root2

        # paramètres samba utilisateur par defaut
        logon drive = P:
        logon home = \\server02\%U
        logon path = \\server02\profiles\%U
        logon script = %U.cmd

        # gestion des comptes posix automatique :)
        # Gestion des comptes POSIX
        add machine script = /usr/sbin/useradd -g sambamachines -c 
Machine -d /dev/null -s /bin/false '%u'
        add user script = /usr/sbin/useradd -g sambausers -c Utilisateur 
-d /dev/null -s /bin/false '%u'
        add group script = /usr/sbin/groupadd '%g'
        add user to group script = /usr/bin/gpasswd -a '%u' '%g'
        delete user script = /usr/sbin/userdel -r '%u'
        delete group script = /usr/sbin/groupdel '%g'
        delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
        set primary group script = /usr/sbin/usermod -g '%g' '%u'

        veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/

        guest account = guest

        hosts allow = 192.168.0. 127.

# 
-----------------------------------------------------------------------------
# Necessaire Domaine
# 
-----------------------------------------------------------------------------
[homes]
        path = /mnt/SAN01/vd3_home2/home2/%u
        comment = Home Directories
        valid users = %S
        guest ok = No
        writable = Yes
        create mask = 0700
        directory mask = 0700
        browseable = No

[netlogon]
        path = /mnt/SAN01/vd3_home2/netlogon
        comment = Partage NetLogon
        valid users = @sambausers @sambaguests root
        guest ok = No
        read only = Yes
        browseable = No

[profiles]
        path = /mnt/SAN01/vd3_home2/profiles
        comment = Profils utilisateurs
        valid users = @sambausers @sambaguests root
        guest ok = No
        writable = Yes
        create mode = 0700
        browseable = No

# 
-----------------------------------------------------------------------------
# Imprimantes
# 
-----------------------------------------------------------------------------
[printers]
        path = /tmp
        comment = All printers
        valid users = @sambausers
        guest ok = No
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

# 
-----------------------------------------------------------------------------
# Partages :)
# 
-----------------------------------------------------------------------------
[vd1_echange]
        comment = Zone d'echange interne et FTP Pantin.
        path = /mnt/SAN01/vd1_echange
        valid users = root @sambaadmins @sambaguests @User_Standard
        guest ok = No
        writable = Yes
        #force create mode = 0770
        create mask = 0770
        directory mask = 0770
        browseable = yes
        inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes

[vd2_gestion]
        comment = Administration, compta, gestion.
        path = /mnt/SAN01/vd2_gestion
        valid users = root @sambaadmins @Gestion_Level0, 
@Gestion_Level1, @Gestion_Level2, @Gestion_Level3
        guest ok = No
        writable = Yes
        #force create mode = 0770
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes

[vd3_home2]
        comment = Dossiers privés
        path = /mnt/SAN01/vd3_home2
        valid users = root @sambaadmins
        guest ok = No
        writable = Yes
        #force create mode = 0770
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes
        csc policy = disable

[vd4_archive]
        comment = Archives Design, Develop, Graphisme, Logiciels
        path = /mnt/SAN01/vd4_archive
        valid users = root @sambaadmins @User_Standard, 
@Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels
        guest ok = No
        writable = Yes
        #force create mode = 0770
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes

[vd5_projet]
        comment = Les Projets
        path = /mnt/SAN01/vd5_projet
        valid users = root @sambaadmins @Projet_Asterix1, 
@Projet_Asterix2, @Projet_Asterix3, @Projet_AsterixCleopatre, 
@Projet_KetKal, @Projet_LaLune, @Projet_LuckyLuke, @Projet_PProject, 
@Projet_Tintin, @Projet_Wayans, @Projet_Zeus, @Projet_Arthur, 
@Projet_Commun, @Projet_Recherches @User_Sourcesafe
        guest ok = No
        writable = Yes
        #force create mode = 0770
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes

[vd6_backup]
        comment = Backups [reservé admin]
        path = /mnt/SAN01/vd6_backup
        valid users = root @sambaadmins
        guest ok = No
        writable = Yes
        #force create mode = 0770
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes

[vd7_video]
        comment = Montages Videos
        path = /mnt/SAN01/vd7_video
        valid users = root @sambaadmins @User_MontageVideo
        guest ok = No
        writable = Yes
        #force create mode = 0770
        create mask = 0770
        directory mask = 0770
        browseable = Yes
        inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes

-- 
Sylvain DAVID / administrateur réseau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(°)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --



More information about the samba-technical mailing list