[Samba] Folder Redirection broken if access is from ACL only

Doug VanLeuven roamdad at sonic.net
Sun May 1 00:26:36 GMT 2005 

Grant Bigham wrote:

>I have an issue with W2K/XP using Folder Redirection to a Samba homes
>share (or any share for that matter). This is only a problem when access
>for a user is via an ACE (ACL) and not the traditional file system
>permissions.
>
>The problem is on Linux (various distribs (SLES8 and FC2) 2.4 and 2.6
>Kernels), and Samba-3.0.11 on ext3 file systems mounted with
>user_xattr,acl options. 
>
>This is not an ACL problem as such. Access to shares and the data within
>is fine using ACLs, it only becomes a problem when Windows tried to
>access redirected folders on Samba, where that access is granted via
>ACLs only.
>
>So for example (user is cath in this example):
>
>[root at gandalf users]# ls -ld cath
>drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath
>
>[root at gandalf users]# getfacl cath
># file: cath
># owner: root
># group: root
>user::rwx
>user:cath:rwx
>group::---
>mask::rwx
>other::---
>default:user::rwx
>default:user:cath:rwx
>default:group::---
>default:mask::rwx
>default:other::---
>
>I've tested this using the "profile acls = yes" option also, as I
>suspected windows may have being attempting similar access checks that
>made this necessary for roaming profiles on Samba shares, but the
>problem was still present.
>
>It seems that Windows may be trying to set ACLs on index.dat which fails
>when access is via ACLs only. Here's an indication of this from the smbd
>log:
>[2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) 
>set_canon_ace_list: sys_acl_set_file failed for file
>k-drive/History/History.IE5/MSHist012005041220050413/index.dat
>(Operation not permitted). 
>[2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270)  
>DBR05A+cath closed file
>k-drive/History/History.IE5/MSHist012005041220050413/index.dat
>(numopen=3)
>
>It's easy to re-create.
>1. Setup a test share
>2. Setup permissions on share directory:
>   chown -R test_user test_dir;
>3. Setup your Windows image to redirect folders to your test share (I
>wont go into details on how to do this on the assumption you prolly
>already know anyway)
>4. Logon to your windows domain and check that folder redirection is
>working. Logoff once you have achieved this. 
>5. Change the permissions so access is via ACLs only: 
>   chown -R root.root test_dir;
>   setfacl -R -m test_user:rwx test_dir;
>   setfacl -R -m default:test_user:rwx test_dir
>6. Logon to your windows domain once again and windows is no longer able
>to redirect folders to this share (IE's History folder is a good one to
>experiment with).
>  
>
Windows has a concept of file & directory ownership as well as unix.  
What is this trend to take away user & group ownership in unix?  Someone 
publish an article I haven't read? :-)

Check group policy

Computer Configuration
    Administrative Templates
       System/User Profiles
          Do Not check for ownership of roaming profile folders 
(enabled/disabled)

The default is disabled.  In other word, windows checks the ownership of 
the profile folders to see if they are owned by the user.  It doesn't 
work on a windows server for the administrator to own the directory and 
the user given full access under default conditions.

User Configuration
    Windows Configuration
       Folder Redirection
          <folder in question> properties
             settings
                grant the user exclusive rights to <folder in question> 
[checkbox cleared/checked]

Default is checked.  User has to own files -exclusively-.

Link to MS article
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q288991

Regards, Doug

More information about the samba mailing list