[Samba] samba 3.0.22 default ACL issue

sylvain.david at etranges-libellules.fr sylvain.david at etranges-libellules.fr
Tue Jul 4 14:03:55 GMT 2006 

Hi,

I use samba 3.0.22 as PDC on Debian with workstations under windows XP 
SP1 and SP2.
I use ACLs to have a fine grained access rules.

When I copy a directory from a client to a samba share, default ACLs are 
forgiven.
exemple : after I copy the directory A on the samba share :
getfacl A/
# file: A/
# owner: user1
# group: sambausers
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---

But the parent directory has default ACLs, I can prove it :
getfacl .
# file: .
# owner: user1
# group: sambausers
user::rwx
user:root:rwx
user:bacula:r-x
group::---
group:sambaguests:rwx
group:User_Standard:rwx
group:User_Lead:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:bacula:r-x
default:group::---
default:group:sambaguests:rwx
default:group:User_Standard:rwx
default:group:User_Lead:rwx
default:mask::rwx
default:other::---

Is it a bug ? because default ACLs are applied if I copy files. So Why 
different behavior between directory and files ?
I noticed that it happened only to local directories which belong to 
MYDOMAIN\user.  If the owner of the local directory is 
LOCALCOMPUTER\user the default ACLs is applied correctly. But once 
again, it concerns only directory. When the file belong to MYDOMAIN\user 
ACLs are applied correctly.

All what I want is that default ACLs are applied all the time whatever 
the owner of local directory.

I try to play with "directory security mask", "force directory security 
mode", inherit permissions without success.
Thank you for your help, I really don't know what to do.

My smb.conf looks like that :

# 
-----------------------------------------------------------------------------
# Global parameters
# 
-----------------------------------------------------------------------------
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = elb-lyon
        netbios name = server02
        server string = server02.elb-lyon
        os level = 65
        domain logons = Yes
        domain master = Yes
        local master = Yes
        preferred master = Yes
        wins support = Yes

        obey pam restrictions = Yes
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n 
*ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
        passwd chat debug = Yes
        pam password change = Yes
        unix password sync = Yes

        syslog = 0
        log level = 2
        # log level max = 10
        log file = /var/log/samba/log.%m
        max log size = 25600
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        invalid users = root2

        # paramètres samba utilisateur par defaut
        logon drive = P:
        logon home = \\server02\%U
        logon path = \\server02\profiles\%U
        logon script = %U.cmd

        # gestion des comptes posix automatique :)
        # Gestion des comptes POSIX
        add machine script = /usr/sbin/useradd -g sambamachines -c 
Machine -d /dev/null -s /bin/false '%u'
        add user script = /usr/sbin/useradd -g sambausers -c Utilisateur 
-d /dev/null -s /bin/false '%u'
        add group script = /usr/sbin/groupadd '%g'
        add user to group script = /usr/bin/gpasswd -a '%u' '%g'
        delete user script = /usr/sbin/userdel -r '%u'
        delete group script = /usr/sbin/groupdel '%g'
        delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
        set primary group script = /usr/sbin/usermod -g '%g' '%u'

        veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/

        guest account = guest

        hosts allow = 192.168.0. 127.

# 
-----------------------------------------------------------------------------
# Necessaire Domaine
# 
-----------------------------------------------------------------------------
[homes]
        path = /mnt/SAN01/vd3_home2/home2/%u
        comment = Home Directories
        valid users = %S
        guest ok = No
        writable = Yes
        create mask = 0700
        directory mask = 0700
        browseable = No

[netlogon]
        path = /mnt/SAN01/vd3_home2/netlogon
        comment = Partage NetLogon
        valid users = @sambausers @sambaguests root
        guest ok = No
        read only = Yes
        browseable = No

[profiles]
        path = /mnt/SAN01/vd3_home2/profiles
        comment = Profils utilisateurs
        valid users = @sambausers @sambaguests root
        guest ok = No
        writable = Yes
        create mode = 0700
        browseable = No

# 
-----------------------------------------------------------------------------
# Partages
# 
-----------------------------------------------------------------------------
[vd1_echange]
        comment = Zone d'echange.
        path = /mnt/SAN01/vd1_echange
        valid users = root @sambaadmins @sambaguests @User_Standard
        guest ok = No
        writable = Yes
        create mask = 0770
        directory mask = 0770
        browseable = yes
        # inherit permissions = yes
        inherit acls = yes
        hide unreadable = Yes
        # directory security mask = 0000
        # force directory security mode = 0777



-- 
Sylvain DAVID / administrateur réseau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(°)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --

More information about the samba mailing list