[Samba] "dos filemode" parameter ineffective?

Scott Crosby skroz at skroz.net
Thu Nov 10 12:53:55 GMT 2005

According to the smb.conf man page, the "dos filemode" parameter will allow a user who is not the owner of a file to affect permissions changes on a file or folder provided he has write access to that object.  This does not appear to be the case.  Users with write access via user or group ACEs receive an "Access denied" error when attempting to make ACL changes via windows, accompanaied by an "operation not permitted" error in the client's log file on the file server.

Share "testshare" is created with the following entry in the smb.conf:

        comment = test share
        path = /export/data/testshare
        read only = no
        store dos attributes = yes
        dos filemode = yes

An empty folder called test is created and the following ACL is applied :  

# file: test
# owner: daniel
# group: sys

User daniel (the folder's owner) has write access to the folder and can modify the ACL.  User scott also has write access to the folder due to his entry in the ACL.  He can write to the folder, but cannot modify the ACL or alter any individual ACEs.  This is the same behavior seen with the "dos filemode" parameter disabled.  I've also tried opening up the permissions completely by chmod'ing the directory to 0777 and adjusting the ACL with no positive effect.  In all cases, only the owner can adjust the ACL.

Here's an example of the error in the client log (log level 10)

[2005/11/09 09:53:55, 2] smbd/posix_acls.c:set_canon_ace_list(2486)
  set_canon_ace_list: sys_acl_set_file type file failed for file test (Operation not permitted).
[2005/11/09 09:53:55, 3] smbd/posix_acls.c:set_nt_acl(3205)
  set_nt_acl: failed to set file acl on file test (Operation not permitted).
[2005/11/09 09:53:55, 3] smbd/error.c:error_packet(147)
  error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED

I've also noticed that read-only flag is "half checked" (the in-between state of a tri-mode flag) on the folder (in the properties dialog,) indicating that some of the items underneath are read only and some are not.  How can this be, since the folder is empty?  Changing this flag, either as user daniel or scott, does not have any permanent effect, though user scott does NOT receive an access denied message when he attempts to change it.

acls and user_xattrs are set in the fstab and have been tested, and ldd run on smbd reveals that libacl and libattr have been compiled in.  All test systems were members of an AD domain but joined as pre-win2k clients.  The smb.conf is included below.

I've seen the described behavior on the following configurations :

Kernel			Samba Rev.		Filesystem
Linux 2.6.5 (x86_64)	3.0.14a			ReiserFS
Linux 2.6.5 (x86_64)	3.0.9			ReiserFS
Linux 2.6.5 (i386)	3.0.14a			ReiserFS
Linux 2.6.5 (i386)	3.0.20b			ext3

Any thoughts?

Scott F. Crosby

	workgroup = ADDOMAIN
	server string = Test Samba Server

	map to guest = Bad User
	host msdfs = yes

	smb passwd file = /etc/samba/smbpasswd
	security = domain
	encrypt passwords = yes
	#password server = *
	password server =
	wins server =

	log file = /var/log/samba/log.%m
	log level = 3
	max log size = 4096

	local master = no
	dns proxy = no

	load printers = yes
	printing = cups
	printcap name = cups
	printer admin = @domadmin

        comment = Printer Drivers
        path = /etc/samba/drivers
        browseable = yes
        guest ok = yes
        read only = yes
        write list = @domadmin

        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

	comment = test
	path = /export/data/test
	read only = no
	store dos attributes = yes
	dos filemode = yes

More information about the samba mailing list