[Samba] incorrect behavior: hide unreadable option in conjunction with user ACLs

[Thorsten Leiser]

  Hi guys,

we are using samba 3.0.4 as domain member server (security=ADS) in our 
Active Directory Domain. In order not to compromise social peace, we use 
POSIX ACLs in conjunction with the hide unreadable option to hide 
folders/files from users.
I'll show you an example to explain the problem:
I'm the user "SCHARRNET+M006U122" (SCHARRNET=domain suffix). I'm 
connecting to a share (in our example Rechnungswesen) which contains 2 
folders: Buchhaltung and Controlling
Here are the ACLs of these two folders:

# file: Controlling
# owner: root
# group: SCHARRNET+Domänen-Benutzer
user::rwx
user:SCHARRNET+Administrator:rwx
group::---
group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Controlling:rwx
mask::rwx
other::---
default:user::rwx
default:user:SCHARRNET+Administrator:rwx
default:group::---
default:group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Controlling:rwx
default:mask::rwx
default:other::---

# file: Buchhaltung
# owner: root
# group: SCHARRNET+Domänen-Benutzer
user::rwx
user:SCHARRNET+Administrator:rwx
user:SCHARRNET+m006u122:rwx
group::---
group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Buchhaltung:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:SCHARRNET+Administrator:rwx
default:user:SCHARRNET+m006u122:rwx
default:group::---
default:group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Buchhaltung:rwx
default:mask::rwx
default:other::---

Because I'm member of the group "SCHARRNET+Mandant 001 
Scharr_Stuttgart_Controlling" i can see the folder Controlling. But i 
can't see the folder Buchhaltung although i have an entry in the ACL of 
this folder. If i disable hide unreadable, i can see and access the 
folder. Only domain member PCs are affected by this problem.

We've designed some workarounds to this problem:
1. Downgrade the domain membership from security=ADS to security=DOMAIN, 
then the ACLs work perfectly with the hide unreadable option.
2. Use the ip-address of the samba server instead of the hostname to 
connect from a domain member PC to the share 
(\\192.168.239.143\Rechnungswesen).

Here some information about our samba server:
OS:                                      SuSE Linux Standard Server 8 
(based on SLES8) / Kernel 2.4.21-138
Version samba:                     3.0.4 (3.0.6 is affected too, we 
tested it)
Filesystem for data storage:   XFS

smb.conf:
[global]
        unix charset = ISO8859-15
        display charset = ISO8859-15
        workgroup = SCHARRNET
        realm = SCHARRNET.DE
        server string =
        security = ADS
        password server = maire.scharrnet.de, maitre.scharrnet.de
        log level = 2
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        os level = 2
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /data/home/%U
        winbind separator = +

[Rechnungswesen]
        comment = Abteilungslaufwerk Rechnungswesen auf %L
        path = /data/abt/Rechnungswesen
        read only = No
        create mask = 0660
        directory mask = 0770
        hide unreadable = Yes
        browseable = No
        volume = DATA
        dos filetimes = Yes
        dos filetime resolution = Yes
        fake directory create times = Yes

This seems to be a real bug, isn't it?

Regards

Thorsten

-- 
Thorsten Leiser
IT-Systembetreuung
FRIEDRICH SCHARR KG
Liebknechtstrasse 50
70565 Stuttgart-Vaihingen