[Samba] Samba3 ACL problem with Windows XP

plug bert plugbert at yahoo.com
Wed Aug 16 08:53:31 GMT 2006 

Hello!

  A good day to you all. i seem to be experiencing a
quirk with my test setup, as i am unable to delete
files/folders even with the proper ACL entries.

i am using the stock samba 3 package on
FC4(samba-3.0.14a-2), and have set up winbind
authentication against a Windows NT 4 PDC. i've
created two users, user1 and user2, which have their
primary group set to group1(gid=16777221) as shown:

[root at localhost]# id user1
uid=16777450(user1) gid=16777221 groups=16777221

[root at localhost]# id user2
uid=16777451(user2) gid=16777221 groups=16777221


i've created the "data" share, made the "admin_stuff"
directory and have set the access/default ACLS as
follows:

[root at localhost]# getfacl /data/admin_stuff
getfacl: Removing leading '/' from absolute path names
# file: /data/admin_stuff
# owner: root
# group: root
user::rwx
group::rwx
group:16777221:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:16777221:rwx
default:mask::rwx
default:other::---


i then logged on as user1 using a windows 2000 pc, and
logged on as user2 on a windows xp pc.



i used the user1 account to create the file user1.txt
, and used user2.txt to create user2.txt on the said
directory. the getfacl entries are as follows:


[root at localhost ADMIN]# getfacl user1.txt
# file: user1.txt
# owner: new
# group: 16777221
user::rwx
group::---
group:16777221:rwx
mask::rwx
other::---


[root at localhost ADMIN]# getfacl user2.txt
# file: user2.txt
# owner: new2
# group: 16777221
user::rwx
group::---
group:16777221:rwx
mask::rwx
other::---



    i have no problems editing either files using
either accounts. But i can't seem to delete user1.txt
when logged on as user2 on the WinXP machine. i got
this error:

"Cannot delete user1.txt: Access is denied. Make sure
the disk is not full or write-protected and that the
file is not currently in use."


    However, i have no problems deleting user2.txt
when logged on as user1 on the Windows 2000 machine.


My smb.conf is as follows:

######################################################
#======================= Global Settings
=====================================
[global]

   workgroup = TESTDOMAIN
   netbios name = ENTERPRISE
   server string = Test Server
   hosts allow = 192.168.0. 192.168.1.
;   load printers = yes
;   printing = cups
;   cups options = raw
   log file = /var/log/samba/%m.log

   max log size = 1048576

   security = server
   password server = *

  password level = 30
  username level = 30
  smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing
from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb
passwd file' above.
# NOTE2: You do NOT need these to allow workstations
to change only
#        the encrypted SMB passwords. They allow the
Unix password
#        to be kept in sync with the SMB password.
;  unix password sync = Yes
;  passwd program = /usr/bin/passwd %u
;  passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
;  username map = /etc/samba/smbusers

   socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192


   remote announce = 192.168.0.255 192.168.1.255
   local master = no
   os level = 33
  name resolve order = wins lmhosts bcast
  wins server = 192.168.0.44
  preserve case = yes
  case sensitive = no

#============================ Share Definitions
==============================
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false

   winbind separator = +
   winbind uid = 16777216-33554431
   winbind gid = 16777216-33554431
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
  
   nt acl support = yes
   inherit acls = no
   ea support = yes

#   auth methods = winbind
   follow symlinks = yes
   wide links = yes 
   log level = 20


[data]
create mask = 0700
#force create mode = 0777
path = /data
browsable = yes
writable = yes

######################################################

    Any ideas? Thanks








__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the samba mailing list