ACL + excel = problems with permissions
sylvain.david at etranges-libellules.fr
sylvain.david at etranges-libellules.fr
Mon Jun 19 16:49:21 GMT 2006
> Hi I have the same problem, and I hope you'll have the time to answer me.
>
> My system is :
> Debian Sarge (stable) + samba Version 3.0.14a-Debian + ext3 acl enabled
> my smb.conf is joined in this email
> my client are under windows XP SP1, windows XP SP2, windows 2000 SP4.
> They all use Office Xp 2003 (I'm lucky, they didn't have a lot of
> version of office...)
>
> Description of the problem : Office modify ACLs on saving file and put
> read only.
>
> - ACL status before : getfacal file01.xls :
> # owner: root
> # group: root
> user::rwx
> user:root:rwx
> group::---
> group:Projet_01:rwx
> mask::rwx
> other::---
>
> - user A, wich is in Projet_01 group, open file01.xls with excel 2003
> and press ctrl S to save his modification. he get an error message :
> share violation : file is stored, but re-open read only
> - ACL status : getfacl file01.xls :
> # owner: userA
> # group: root
> user::r--
> user:root:rwx
> user:reunion:rwx
> group::---
> group:Projet_01:rwx
> mask::rwx
> other::---
>
> I noticed that :
> - user can through the security properties of the file get back the
> good rights rwx. but... my users find that boring and they're right.
> - if user have explicit rwx right on the file, even if he's not the
> owner, there is no problem.
> - this doesn't appened on windows 2000 server
> - force create mode or create mask seems to change nothing.
>
> So, this appened when a user modify a file that he's not the owner AND
> he don't have explicit rights AND with a microsoft office application.
>
> I think about a few solution, but i find all of them "dirty". Here
> they are :
> 1) using open office.
> -> If I could, I surely do it, but, I need time to convert 60 people
> loving excel and word to calc and writer. Even if they are all
> programmers, trying to change habits is really hard. We exchange
> documentation with other society which use ... ... excel, so for
> compatibility reasons, we need excel. So even if it's a good solution,
> it's hard to choose this solution. And... what if i noticed this
> problem with another application ? This solution doesn't solve the
> problem at the server side, but only in client side...
>
> 2) using a file monitor.
> -> using gamin or any other file monitor to watch .xls and .doc file.
> if a file is touched then apply the good rights (with the default
> right of the parent directory...) This solution is dirty because my
> server contain, a very very very lot of file, and I think it's a
> bottleneck solution parsing all directories all the time. And, in real
> situation, the error message of excel will appear anyway, because of
> the timing.
>
> 3) hack samba code and add a trigger on write file, to execute a
> script wich force to set the good ACL?
> -> probably a bottleneck solution... but... the best for me... but, I
> don't have the level to code it.
>
> 4) use the "force user" argument in smb.conf
> -> it works. but... loosing the owner notion of the whole file system
> is a desperate solution.
>
> 5) use explicit user rights on every files.
> -> it works too. but it remove all the magic of using group. And for
> now I have "only" 60 users... and what will I do with 200 ?
>
> 6) is there any office patch or registry key or office config, or
> voodoo danse to do in order to repair the special way of save of
> microsoft office ?
> -> i found nothing on my friend google.
>
> 7) sending an email and pray you'll answer me something like : "I
> found an evident solution and here it is" :)
> -> I'm praying
>
Sorry I forget my smb.conf... Here he is.
#
-----------------------------------------------------------------------------
# Global parameters
#
-----------------------------------------------------------------------------
[global]
dos charset = 850
unix charset = ISO8859-1
workgroup = elb-lyon
netbios name = server02
server string = server02.elb-lyon
os level = 65
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
wins support = Yes
obey pam restrictions = Yes
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = Yes
pam password change = Yes
unix password sync = Yes
syslog = 0
log level = 2
# log level max = 10
log file = /var/log/samba/log.%m
max log size = 10000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
invalid users = root2
# paramètres samba utilisateur par defaut
logon drive = P:
logon home = \\server02\%U
logon path = \\server02\profiles\%U
logon script = %U.cmd
# gestion des comptes posix automatique :)
# Gestion des comptes POSIX
add machine script = /usr/sbin/useradd -g sambamachines -c
Machine -d /dev/null -s /bin/false '%u'
add user script = /usr/sbin/useradd -g sambausers -c Utilisateur
-d /dev/null -s /bin/false '%u'
add group script = /usr/sbin/groupadd '%g'
add user to group script = /usr/bin/gpasswd -a '%u' '%g'
delete user script = /usr/sbin/userdel -r '%u'
delete group script = /usr/sbin/groupdel '%g'
delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
set primary group script = /usr/sbin/usermod -g '%g' '%u'
veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
guest account = guest
hosts allow = 192.168.0. 127.
#
-----------------------------------------------------------------------------
# Necessaire Domaine
#
-----------------------------------------------------------------------------
[homes]
path = /mnt/SAN01/vd3_home2/home2/%u
comment = Home Directories
valid users = %S
guest ok = No
writable = Yes
create mask = 0700
directory mask = 0700
browseable = No
[netlogon]
path = /mnt/SAN01/vd3_home2/netlogon
comment = Partage NetLogon
valid users = @sambausers @sambaguests root
guest ok = No
read only = Yes
browseable = No
[profiles]
path = /mnt/SAN01/vd3_home2/profiles
comment = Profils utilisateurs
valid users = @sambausers @sambaguests root
guest ok = No
writable = Yes
create mode = 0700
browseable = No
#
-----------------------------------------------------------------------------
# Imprimantes
#
-----------------------------------------------------------------------------
[printers]
path = /tmp
comment = All printers
valid users = @sambausers
guest ok = No
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
#
-----------------------------------------------------------------------------
# Partages :)
#
-----------------------------------------------------------------------------
[vd1_echange]
comment = Zone d'echange interne et FTP Pantin.
path = /mnt/SAN01/vd1_echange
valid users = root @sambaadmins @sambaguests @User_Standard
guest ok = No
writable = Yes
#force create mode = 0770
create mask = 0770
directory mask = 0770
browseable = yes
inherit permissions = yes
inherit acls = yes
hide unreadable = Yes
[vd2_gestion]
comment = Administration, compta, gestion.
path = /mnt/SAN01/vd2_gestion
valid users = root @sambaadmins @Gestion_Level0,
@Gestion_Level1, @Gestion_Level2, @Gestion_Level3
guest ok = No
writable = Yes
#force create mode = 0770
create mask = 0770
directory mask = 0770
browseable = Yes
inherit permissions = yes
inherit acls = yes
hide unreadable = Yes
[vd3_home2]
comment = Dossiers privés
path = /mnt/SAN01/vd3_home2
valid users = root @sambaadmins
guest ok = No
writable = Yes
#force create mode = 0770
create mask = 0770
directory mask = 0770
browseable = Yes
inherit permissions = yes
inherit acls = yes
hide unreadable = Yes
csc policy = disable
[vd4_archive]
comment = Archives Design, Develop, Graphisme, Logiciels
path = /mnt/SAN01/vd4_archive
valid users = root @sambaadmins @User_Standard,
@Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels
guest ok = No
writable = Yes
#force create mode = 0770
create mask = 0770
directory mask = 0770
browseable = Yes
inherit permissions = yes
inherit acls = yes
hide unreadable = Yes
[vd5_projet]
comment = Les Projets
path = /mnt/SAN01/vd5_projet
valid users = root @sambaadmins @Projet_Asterix1,
@Projet_Asterix2, @Projet_Asterix3, @Projet_AsterixCleopatre,
@Projet_KetKal, @Projet_LaLune, @Projet_LuckyLuke, @Projet_PProject,
@Projet_Tintin, @Projet_Wayans, @Projet_Zeus, @Projet_Arthur,
@Projet_Commun, @Projet_Recherches @User_Sourcesafe
guest ok = No
writable = Yes
#force create mode = 0770
create mask = 0770
directory mask = 0770
browseable = Yes
inherit permissions = yes
inherit acls = yes
hide unreadable = Yes
[vd6_backup]
comment = Backups [reservé admin]
path = /mnt/SAN01/vd6_backup
valid users = root @sambaadmins
guest ok = No
writable = Yes
#force create mode = 0770
create mask = 0770
directory mask = 0770
browseable = Yes
inherit permissions = yes
inherit acls = yes
hide unreadable = Yes
[vd7_video]
comment = Montages Videos
path = /mnt/SAN01/vd7_video
valid users = root @sambaadmins @User_MontageVideo
guest ok = No
writable = Yes
#force create mode = 0770
create mask = 0770
directory mask = 0770
browseable = Yes
inherit permissions = yes
inherit acls = yes
hide unreadable = Yes
--
Sylvain DAVID / administrateur réseau
adr : Etranges Libellules
.~. 17 Rue des Archers
/v\ 69002 LYON
/(°)\ tel : 04 72 40 24 72
^^-^^ fax : 04 72 40 27 19
www.etranges-libellules.fr
--
More information about the samba-technical
mailing list