[Samba] Folder Redirection broken if access is from ACL only

Doug VanLeuven roamdad at sonic.net
Sun May 1 00:26:36 GMT 2005

Grant Bigham wrote:

>I have an issue with W2K/XP using Folder Redirection to a Samba homes
>share (or any share for that matter). This is only a problem when access
>for a user is via an ACE (ACL) and not the traditional file system
>The problem is on Linux (various distribs (SLES8 and FC2) 2.4 and 2.6
>Kernels), and Samba-3.0.11 on ext3 file systems mounted with
>user_xattr,acl options. 
>This is not an ACL problem as such. Access to shares and the data within
>is fine using ACLs, it only becomes a problem when Windows tried to
>access redirected folders on Samba, where that access is granted via
>ACLs only.
>So for example (user is cath in this example):
>[root at gandalf users]# ls -ld cath
>drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath
>[root at gandalf users]# getfacl cath
># file: cath
># owner: root
># group: root
>I've tested this using the "profile acls = yes" option also, as I
>suspected windows may have being attempting similar access checks that
>made this necessary for roaming profiles on Samba shares, but the
>problem was still present.
>It seems that Windows may be trying to set ACLs on index.dat which fails
>when access is via ACLs only. Here's an indication of this from the smbd
>[2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) 
>set_canon_ace_list: sys_acl_set_file failed for file
>(Operation not permitted). 
>[2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270)  
>DBR05A+cath closed file
>It's easy to re-create.
>1. Setup a test share
>2. Setup permissions on share directory:
>   chown -R test_user test_dir;
>3. Setup your Windows image to redirect folders to your test share (I
>wont go into details on how to do this on the assumption you prolly
>already know anyway)
>4. Logon to your windows domain and check that folder redirection is
>working. Logoff once you have achieved this. 
>5. Change the permissions so access is via ACLs only: 
>   chown -R root.root test_dir;
>   setfacl -R -m test_user:rwx test_dir;
>   setfacl -R -m default:test_user:rwx test_dir
>6. Logon to your windows domain once again and windows is no longer able
>to redirect folders to this share (IE's History folder is a good one to
>experiment with).
Windows has a concept of file & directory ownership as well as unix.  
What is this trend to take away user & group ownership in unix?  Someone 
publish an article I haven't read? :-)

Check group policy

Computer Configuration
    Administrative Templates
       System/User Profiles
          Do Not check for ownership of roaming profile folders 

The default is disabled.  In other word, windows checks the ownership of 
the profile folders to see if they are owned by the user.  It doesn't 
work on a windows server for the administrator to own the directory and 
the user given full access under default conditions.

User Configuration
    Windows Configuration
       Folder Redirection
          <folder in question> properties
                grant the user exclusive rights to <folder in question> 
[checkbox cleared/checked]

Default is checked.  User has to own files -exclusively-.

Link to MS article

Regards, Doug

More information about the samba mailing list