[Samba] Folder Redirection broken if access is from ACL only

Grant Bigham samba at bigham.homelinux.com
Sat Apr 30 10:42:30 GMT 2005


I have an issue with W2K/XP using Folder Redirection to a Samba homes
share (or any share for that matter). This is only a problem when access
for a user is via an ACE (ACL) and not the traditional file system
permissions.

The problem is on Linux (various distribs (SLES8 and FC2) 2.4 and 2.6
Kernels), and Samba-3.0.11 on ext3 file systems mounted with
user_xattr,acl options. 

This is not an ACL problem as such. Access to shares and the data within
is fine using ACLs, it only becomes a problem when Windows tried to
access redirected folders on Samba, where that access is granted via
ACLs only.

So for example (user is cath in this example):

[root at gandalf users]# ls -ld cath
drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath

[root at gandalf users]# getfacl cath
# file: cath
# owner: root
# group: root
user::rwx
user:cath:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:cath:rwx
default:group::---
default:mask::rwx
default:other::---

I've tested this using the "profile acls = yes" option also, as I
suspected windows may have being attempting similar access checks that
made this necessary for roaming profiles on Samba shares, but the
problem was still present.

It seems that Windows may be trying to set ACLs on index.dat which fails
when access is via ACLs only. Here's an indication of this from the smbd
log:
[2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) 
set_canon_ace_list: sys_acl_set_file failed for file
k-drive/History/History.IE5/MSHist012005041220050413/index.dat
(Operation not permitted). 
[2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270)  
DBR05A+cath closed file
k-drive/History/History.IE5/MSHist012005041220050413/index.dat
(numopen=3)

It's easy to re-create.
1. Setup a test share
2. Setup permissions on share directory:
   chown -R test_user test_dir;
3. Setup your Windows image to redirect folders to your test share (I
wont go into details on how to do this on the assumption you prolly
already know anyway)
4. Logon to your windows domain and check that folder redirection is
working. Logoff once you have achieved this. 
5. Change the permissions so access is via ACLs only: 
   chown -R root.root test_dir;
   setfacl -R -m test_user:rwx test_dir;
   setfacl -R -m default:test_user:rwx test_dir
6. Logon to your windows domain once again and windows is no longer able
to redirect folders to this share (IE's History folder is a good one to
experiment with).

Cheers, Grant




More information about the samba mailing list