[PATCH] Patches required for POSIX ACL support of GPOs

steve steve at steve-ss.com
Fri May 11 04:57:41 MDT 2012

On 05/11/2012 12:26 PM, Jeremy Allison wrote:
> On Fri, May 11, 2012 at 12:16:20PM +0200, steve wrote:
>> If I set e.g. a group rw ACL on the underlying file system on Linux,
>> it is not understood by s3fs on Windows. Files created in the share
>> under Linux appear rw-rw. Files created in the same share under
>> Windows appear rwxrwx-x but can only be edited by the owner of the
>> file.
>> Guys, this is just not working.
> Can you submit a proper bug report please, with exact
> steps to reproduce and explicit commands used ?
> For example:
> Saying "If I set e.g. a group rw ACL on the underlying file system on Linux"
> doesn't help. Set a group rw ACL how ? Using setfacl ?
> "Files created in the share under Linux appear rw-rw." under what
> circumstances - what is the POSIX ACL on the dircetory you're
> creating the file in ?
> You need to learn how to submit ACL bug reports please. I can
> help (I've dealt with a lot of these over the years :-). Take
> a look at some of the previous ACL bug reports in the bugzilla
> for an example of how we need this data to be submitted.
> Thanks !
> Jeremy.
Hi Jeremy

Yes of course. Sorry. Here are the steps I used as root in /data:

mkdir reports
chmod 0770 reports
chgrp staff reports
chmod g+s reports
setfacl -d -Rm g::rwx reports

ls -l
total 4
drwxrws---+ 2 root staff 4096 May 11 09:03 reports

  getfacl reports
# file: reports
# owner: root
# group: staff
# flags: -s-

Linux clients work fine. We get rw-rw according to the acl when we 
create a file in the share.
On windows, we can only edit the file if we are the owner of it. The 
group rw acl is not working.

Very simply:
cat /usr/local/samba/etc/smb.conf
# Global parameters
     server role = domain controller
     workgroup = CACTUS
     realm = polop.site
     netbios name = SAM4DC
     passdb backend = samba4
     dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver
     server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, s3fs

     path = /usr/local/samba/var/locks/sysvol/polop.site/scripts
     read only = No

     path = /usr/local/samba/var/locks/sysvol
     read only = No

     path = /home2/CACTUS
     read only = No

     path = /home2/CACTUS/profiles
     read only = No

     path = /data
     read only = No
     browseable = Yes

     path = /data/reports
     read only = No

ls -l reports
drwxrws---+ 9 root staff 4096 May 11 11:17 reports

Here is a user called steve2 with access to reports:
dn: CN=steve2,CN=Users,DC=polop,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120508141303.0Z
uSNCreated: 3719
name: steve2
objectGUID: 2e73c14e-976e-431e-830e-863494cc4a1c
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-1196638036-2541980263-511278767-1105
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2 at polop.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site
pwdLastSet: 129809599830000000
userAccountControl: 512
uidNumber: 3000008
unixHomeDirectory: /home2/CACTUS/steve2
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
profilePath: \\sam4dc\profiles\steve2
homeDrive: Z:
homeDirectory: \\sam4dc\home\steve2
memberOf: CN=staff,CN=Users,DC=polop,DC=site
primaryGroupID: 513
gidNumber: 20513
whenChanged: 20120511065427.0Z
uSNChanged: 3846
distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site

Here is the dn of the group 'staff':
dn: CN=staff,CN=Users,DC=polop,DC=site
cn: staff
instanceType: 4
whenCreated: 20120508143644.0Z
uSNCreated: 3725
name: staff
objectGUID: 2c910ec0-0508-4f48-90df-544aa47c8d65
objectSid: S-1-5-21-1196638036-2541980263-511278767-1106
sAMAccountName: staff
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
objectClass: top
objectClass: posixGroup
objectClass: group
gidNumber: 21106
member: CN=steve2,CN=Users,DC=polop,DC=site
whenChanged: 20120511090721.0Z
uSNChanged: 3850
distinguishedName: CN=staff,CN=Users,DC=polop,DC=site

Any idea why the acl works for Linux but not for xp or 7?

Cheers and TIA for your time,

More information about the samba-technical mailing list