[Samba] Folder Redirection broken if access is from ACL only

Grant Bigham samba at bigham.homelinux.com
Sat Apr 30 10:42:30 GMT 2005

I have an issue with W2K/XP using Folder Redirection to a Samba homes
share (or any share for that matter). This is only a problem when access
for a user is via an ACE (ACL) and not the traditional file system

The problem is on Linux (various distribs (SLES8 and FC2) 2.4 and 2.6
Kernels), and Samba-3.0.11 on ext3 file systems mounted with
user_xattr,acl options. 

This is not an ACL problem as such. Access to shares and the data within
is fine using ACLs, it only becomes a problem when Windows tried to
access redirected folders on Samba, where that access is granted via
ACLs only.

So for example (user is cath in this example):

[root at gandalf users]# ls -ld cath
drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath

[root at gandalf users]# getfacl cath
# file: cath
# owner: root
# group: root

I've tested this using the "profile acls = yes" option also, as I
suspected windows may have being attempting similar access checks that
made this necessary for roaming profiles on Samba shares, but the
problem was still present.

It seems that Windows may be trying to set ACLs on index.dat which fails
when access is via ACLs only. Here's an indication of this from the smbd
[2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) 
set_canon_ace_list: sys_acl_set_file failed for file
(Operation not permitted). 
[2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270)  
DBR05A+cath closed file

It's easy to re-create.
1. Setup a test share
2. Setup permissions on share directory:
   chown -R test_user test_dir;
3. Setup your Windows image to redirect folders to your test share (I
wont go into details on how to do this on the assumption you prolly
already know anyway)
4. Logon to your windows domain and check that folder redirection is
working. Logoff once you have achieved this. 
5. Change the permissions so access is via ACLs only: 
   chown -R root.root test_dir;
   setfacl -R -m test_user:rwx test_dir;
   setfacl -R -m default:test_user:rwx test_dir
6. Logon to your windows domain once again and windows is no longer able
to redirect folders to this share (IE's History folder is a good one to
experiment with).

Cheers, Grant

More information about the samba mailing list