[Samba] Permissions not recursive on win2K?

Shawn Wright swright at sls.bc.ca
Thu Sep 15 17:00:31 GMT 2005

On 11 Aug 2005 at 14:40, samba at lists.samba.org wrote:

> Way back on Mar 10 2004, I wrote this: 
> ========== 
> Perhaps this is a known problem, and if so, hopefully it is fixed 
> in 3.x: 
> Win2K SP4 clients, Samba 2.2.8a servers on Linux using ACL 
> support with 
> XFS filesystem (Redhat SGI-XFS build, and Mandrake 9.2). 
> Adding/editing an ACL for an NT domain group (or user) to a 
> folder on samba, and 
> attempting to apply permissions to all subdirs and files only 
> goes one 
> level deep when using the win2k standard gui tool. ie: Only 
> ACLS for the 
> selected folder and files in top level are touched. Problem does 
> not occur 
> when using an NT4 client. Interestingly, using the NT4 security 
> dialog on 
> win2k (by way of the RSHXMENU powertoy for NT) works fine 
> on win2K.  
> Is this a known issue? I can provide conf and debug output if 
> necessary, 
> but I assumed someone else must have seen this already (and 
> fixed it? :-) 
> ========== 
> Then, I got this reply: 
> >On 24 Mar 2004 at 9:13, Gerald (Jerry) Carter wrote: 
> >  
> > Yup.  It is fixed in 3.0 what what I remember.  Jeremy worked 
> on it. 
> Eventually I got around to upgrading the affected servers to 
> 3.0.11, but  the problem persists, and I didn't have time to dig 
> into it. Now I need to  replace two samba servers, and would 
> like to resolve this issue. I've now  read the release notes from 
> 3.0.12 to 3.0.20RC2 and couldn't find  mention of a fix.  

I am now running 3.0.14a, but the permissions recursion problem still exists. Each time I apply permissions to a tree using the Win2K GUI, the addition or removal of an ACL will move exactly one level deeper than before.  I
n other words, if the tree is 4 levels deep, it will take 3 passes of the 
operation before the ACL change appears in the 4th level. This long 
standing problem is seriously limiting our migration to samba. Can 
someone please tell me if this has been fixed in 3.0.20?

I have offered configs, debug, etc. and the offer still stands. I just want to 
see this problem fixed, and can't believe it is not affecting more users. 

For the record, here is the environment:
Mandrake 10.1 with ACL support on XFS
The share used for testing the issue is the "home" share.
PDC is running NT4 SP6a
Client used for setting ACLs running Win2K SP4, tested using GUI, cacls, 
and xcacls.

Build options:
./configure --with-winbind --with-acl-support --with-quotas --
sbindir=/usr/sbin --bindir=/usr/bin --localstatedir=/var/log/samba  --with-
swatdir=/usr/share/swat --with-lockdir=/var/cache/samba --with-
configdir=/etc/samba --with-piddir=/var/run

conf file:
	workgroup = SHAWNIGAN
	netbios name = ADMIN3
	server string = ADMIN3 Server
	winbind uid = 10000-20000
	winbind enum users = yes
	winbind gid = 10000-20000
	winbind separator = +
	winbind enum groups = yes
	disable spoolss = yes
	unix password sync = no
	max xmit = 65535
	hosts allow = 10. 72.2.0.
	dns proxy = no
	oplocks = yes
	inherit permissions = yes
	debug level = 1
	security = domain
	getwd cache = yes
	log level = 3
	read raw = yes
	write raw = yes
	wins server =
	create mask = 0700
	domain master = no
	map to guest = never
	null passwords = no
	encrypt passwords = yes
	template shell = /bin/false
	dead time = 0
	password level = 0
	password server = *
	directory mask = 0700
	preferred master = no

    comment = Staff Home Directories
    browseable = no
    writable = yes
    available = yes
    public = no
    create mask = 2700
    inherit permissions = yes
    nt acl support = no
    force group = "shawnigan+domain users"
    force security mode = 0777
    path = /home/staff/%U

    comment = Homes
    browseable = yes
    writable = yes
    available = yes
    public = no
    only user = no
    valid users = @"shawnigan+domain admins"
    admin users = @"shawnigan+domain admins"

	comment = sysroot
	valid users = @"shawnigan+domain admins"
        admin users = @"shawnigan+domain admins"
	writeable = yes
	path = /
	hosts allow =10.4. 72.2.0.

    comment = Staff Homes - Web Access
    browseable = yes
    writable = yes
    available = yes
    public = no
    only user = no
    valid users = @"shawnigan+domain admins","shawnigan+Apache-
    admin users = @"shawnigan+domain admins"

Shawn Wright, I.T. Manager
Shawnigan Lake School
swright at sls.bc.ca

More information about the samba mailing list