[Samba] Re: Folder Redirection broken if access is from ACL only

grantb at WebDS grantb at webds.com.au
Wed Apr 20 03:28:29 GMT 2005

Some additional info on this that might help:

The problem is on Linux (various distribs (SLES8 and FC2) 2.4 and 2.6
Kernels), and Samba-3.0.11 on ext3 file systems mounted with
user_xattr,acl options.

This is not an ACL problem as such. Access to shares and the data within
is fine using ACLs. This is a particular problem only with folder
redirection onto a Samba share, where that access is controlled (either
at the root of the share or on any subdirectory in which you store
redirected folders) via ACLs only.

I've tested this using the "profile acls = yes" option also, as I
suspected windows may have being attempting similar access checks that
made this necessary for roaming profiles on Samba shares, but the
problem was still present.

It's easy to re-create.
1. Setup a test share
2. Setup permissions of the share directory:
   chown -R test_user test_dir;
3. Setup your Windows image to redirect folders to your test share (I
wont go into details on how to do this on the assumption you prolly
already know anyway)
4. Logon to your windows domain and check that folder redirection is
working. Logoff once you have achieved this. 
5. Change the permissions so access is via ACLs only: 
   chown -R root.root test_dir;
   setfacl -R -m test_user:rwx test_dir;
   setfacl -R -m default:test_user:rwx test_dir
6. Logon to your windows domain once again and windows is no longer able
to redirect folders to this share (IE's History folder is a good one to
experiment with).

Cheers, Grant

> From: grantb @ WebDS <grantb at webds.com.au>
> To: samba at lists.samba.org
> Subject: [Samba] Folder Redirection broken if access is from ACL only
> Date: Tue, 19 Apr 2005 09:09:00 +1000
> I have an issue with W2K/XP using Folder Redirection to a Samba homes
> share (or any share for that matter). This is only a problem when access
> for a user is via an ACE (ACL) and not the traditional file system
> permissions.
> So for example (user is cath in this example):
> [root at gandalf users]# ll -d cath
> drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath
> [root at gandalf users]# getfacl cath
> # file: cath
> # owner: root
> # group: root
> user::rwx
> user:cath:rwx
> group::---
> mask::rwx
> other::---
> default:user::rwx
> default:user:cath:rwx
> default:group::---
> default:mask::rwx
> default:other::---
> I have also tried this using the "profile acls = yes" option, but with no
> success (works fine for roaming profiles tho, as it was designed to do).
> It seems that Windows may be trying to set ACLs on index.dat which fails
> when access is via ACLs only. Here's an indication of this from the smbd
> log:
> [2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) 
> set_canon_ace_list: sys_acl_set_file failed for file
> k-drive/History/History.IE5/MSHist012005041220050413/index.dat (Operation
> not permitted).
> [2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270)   DBR05A+cath
> closed file k-drive/History/History.IE5/MSHist012005041220050413/i
> ndex.dat (numopen=3)
> Any help would be appreciated. I expect that this may be an Samba issue
> that might need to be looked at by the samba-technical gods.
> Jeremy did ask for additional diagnostic detail, which I sent. However he's probably
> been side tracked by something more important.
> Cheers, Grant

More information about the samba mailing list