[Samba] Very strange ACL issue

Andrew internet at nineproductions.com
Mon Aug 2 23:38:03 GMT 2004 

Hello,

I upgraded from Samba 3.0.2 to 3.0.4 on my Redhat Enterprise system and am
now seeing something very strange with POSIX ACL¹s. We have several shared
directories setup with per-directory group permissions (In other words each
directory has its own group in active directory). This way if we want to
give a user access to a directory we just add them to the group. After
upgrading too 3.0.4 all of a sudden additions to a group were not working.

So if I edit UserA in active directory and add them to the group
Company-Finance-Folder the user should now be able to access the folder on
the file server but now for some reason the user is getting an access
denied.

Getfacl shows that the group has permissions to the folder.
Wbinfo ­u/-g works 
³getent group² shows the user has been added to the group

But the user is still getting an access denied. The funny thing is that all
other users with this exact same group are able to access this folder
properly (But these users were added before the upgrade).

Does anyone know why this is?

Here is my config:

[global]
log level = 0
log file = /var/log/samba/%m.log
realm = domain.net
workgroup = DOMAIN
security = ADS
encrypt passwords = yes
password server = dc0.domain.net dc1.domain.net
server string = AMI File Server
socket options = TCP_NODELAY SO_KEEPALIVE
kernel oplocks = yes
oplocks = yes
veto oplock files =
/*.doc/*.DOC/*.xls/*.XLS/*.ppt/*.PPT/*.pst/*.PST/*.mdb/*.MDB/*.ldb/*.LDB/*.v
sd/*.VSD/*.mpp/*.MPP/*.qbw/*.QBW/*.qbb/*.QBB/*.qbI/*.qbl/*.dxf/*.DXF/*.dwg/*
.DWG/*.cdr/*.CDR/*.bak/*.BAK/*.ord/*.xlo/*.igs/*.ipt/*.ipj/*.slp/*.stp/*.opt
/*.xli/*.stl/*.cur/*.sjb/*.log/*.LOG/*.sbs/*.iam/*.idv/*.pcbdoc/*.PcbDoc/*.P
CBDOC/
interfaces = eth0*,lo
bind interfaces only = yes
#host msdfs = yes
# strict locking
# strict sync
# separate domain and username with +, like DOMAIN+username
winbind separator = +
# use uids from 11000 to 19000 for domain users
idmap uid = 11000-19000
# use gids from 11000 to 19000 for domain groups
idmap gid = 11000-19000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /mnt/share/Company_Share/Users/%U
template shell = /bin/bash

[Company_Share]
   comment = Company Corporate
   path = /mnt/share/Company_Share
   create mask = 0770
   directory mask = 0770
   public = yes
   writable = yes

[Projects]
   comment = Company Projects
   path = /mnt/share/Projects
   create mask = 0770
   directory mask = 0770
   public = yes
   writable = yes

More information about the samba mailing list