[Samba] [3.0.2] Trouble using ACLs: wrong file permissions after write/cr eate

Oliver Schade oschade at PROBUSINESS.DE
Wed Feb 18 11:02:46 GMT 2004

Hi everybody,

I have a problem with Samba 3.0.2 using POSIX ACLs for shares. 
File written from an ACL group/user will get wrong permissions
and are unchangeable for other users.

First the important informations about the configuration and 
the setup:

 a) Base system: Debian 3.0.1 with all updates

 b) Samba: Self compiled binary within /opt/samba-3.0.2
    used the following flags:

    server:/usr/local/src/samba-3.0.2# ./configure \
           --enable-cups --with-ldap --with-automount \
           --with-smbmount --with-pam --with-syslog \
           --with-sys-quotas --with-acl-support \

    The resulting smbd binary reports using -b: :

    --with Options:


    server:/opt/samba-3.0.2/sbin# ./smbd -b | grep ACL

 c) Configuration-file: /opt/samba-3.0.2/lib/smb.conf

            workgroup = MYCOMPANY
            interfaces = eth0
            os level = 65
            preferred master = No
            domain master = No
            security = user
            encrypt passwords = Yes
            loglevel = 1
            nt acl support = Yes
            veto files = lost+found/
            wins server =
            unix charset = ISO8859-15
            display charset = utf8
            unicode = Yes
            printing = cups
            printcap name = /etc/printcap.cups
            dos charset = 850
            oplocks = False
            level2 oplocks = False
            kernel oplocks = False
            inherit permissions = Yes
            getwd cache = Yes
            show add printer wizard = No

            comment = All customer files
            path = /mnt/mycompany/Customers
            read only = No
            create mask = 660
            directory mask = 770
            force create mode = 660
            force directory mode = 770

     Note: there is a WINS server in a different subnet,
     therefore this server is not the master server.

     Oplocks are deactivated because we have had some 
     trouble with our VPN-connection. 

     Users are authenticated locally against a smbpasswd-
     file which shall be migrated to an LDAP-directory

  d) /mnt/mycompany/Customers has been configured as LVM 
     partition and mounted with ACL support:

     server:~/ mount | grep Customers
     /dev/RAID5/Kunden on /mnt/mycompany/Customers type \
               ext3 (rw,acl,user_xattr)

  e) /mnt/mycompany/Customers has the following user/group-

     server:/mnt/mycompany # ls -la Customers
     drwxrws---   14 tprinz   bln-all      4096 Feb 12 13:50 .

     All local users are member of the group bln-all. 
     Sticky-group bit is set, so new files are automatically
     also set to bln-all. Owner and group may write and read
     and enter directories.

     There are an additional group for some remote-users
     coming from on other office over a VPN-connection. 
     The group is called han-eink, access-rights are configured
     using POSIX ACLs:

     server:/mnt/mycompany/Customers# getfacl .
     # file: .
     # owner: tprinz
     # group: bln-all

     So the group han-eink should also write and read all files
     and enter directories.

Now the problem: whenever someone from the ACL-group han-eink 
creates a file within the Customers-share, the permissions
are wrong: instead of 

	-rw-rw---- (as configured with create mask in smb.conf)

the files get 


These files may be opened only readable for my local users, but
they cannot write to them. After manually chmod-ing the rights,
everything works fine. As Excel and Word always create new files,
I have really a problem.

This error (or mis-configuration :-) is reproduceable in Samba
3.0.1 and 3.0.2. And I am somewhat stuck - I do not see my (or
Samba's) error.

Any hints are really welcome.

Thanks, Oliver
pro|business Berlin AG                  oschade at probusiness.de
Potsdamer Platz 11                      http://www.probusiness.de/
10785 Berlin                            Tel: +49 030 259 378-0
Germany                                 Fax: +49 030 259 378-22

More information about the samba mailing list