[Samba] samba 3.0.22 default ACL issue

sylvain.david at etranges-libellules.fr sylvain.david at etranges-libellules.fr
Wed Jul 12 15:12:04 GMT 2006 

Hi,

I sent an email on the mailing list of bestsbits 
(http://acl.bestbits.at/pipermail/acl-devel/2006-July/001980.html) 
because if nobody answer on this mailing list , it's probably directly 
linked to ACLs?
But, I really don't know if the problem is only with bestsbits or only 
with samba because I can reproduce the bug only in samba, not in 
console. So this bug seems to be linked to samba ?

Am I the only one who would like to use ACLs ? Are there any other 
solution to have a fine grained access rules which works with samba? 
(like trustees)
because if default ACLs don't works, I think using ACLs is a no sense.

For the while - hopping sometime this bug will be fix -  I use a dirty 
script run by cron which check & fix ACLs.
I know it's dirty... but I have I any other choice ?

I give up with this mistery. I'm too tired.

sylvain.david at etranges-libellules.fr a écrit :
> Hi,
>
> I use samba 3.0.22 as PDC on Debian with workstations under windows XP 
> SP1 and SP2.
> I use ACLs to have a fine grained access rules.
>
> When I copy a directory from a client to a samba share, default ACLs 
> are forgiven.
> exemple : after I copy the directory A on the samba share :
> getfacl A/
> # file: A/
> # owner: user1
> # group: sambausers
> user::rwx
> group::---
> other::---
> default:user::rwx
> default:group::---
> default:other::---
>
> But the parent directory has default ACLs, I can prove it :
> getfacl .
> # file: .
> # owner: user1
> # group: sambausers
> user::rwx
> user:root:rwx
> user:bacula:r-x
> group::---
> group:sambaguests:rwx
> group:User_Standard:rwx
> group:User_Lead:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:bacula:r-x
> default:group::---
> default:group:sambaguests:rwx
> default:group:User_Standard:rwx
> default:group:User_Lead:rwx
> default:mask::rwx
> default:other::---
>
> Is it a bug ? because default ACLs are applied if I copy files. So Why 
> different behavior between directory and files ?
> I noticed that it happened only to local directories which belong to 
> MYDOMAIN\user.  If the owner of the local directory is 
> LOCALCOMPUTER\user the default ACLs is applied correctly. But once 
> again, it concerns only directory. When the file belong to 
> MYDOMAIN\user ACLs are applied correctly.
>
> All what I want is that default ACLs are applied all the time whatever 
> the owner of local directory.
>
> I try to play with "directory security mask", "force directory 
> security mode", inherit permissions without success.
> Thank you for your help, I really don't know what to do.
>
> My smb.conf looks like that :
>
> # 
> ----------------------------------------------------------------------------- 
>
> # Global parameters
> # 
> ----------------------------------------------------------------------------- 
>
> [global]
>        dos charset = 850
>        unix charset = ISO8859-1
>        workgroup = elb-lyon
>        netbios name = server02
>        server string = server02.elb-lyon
>        os level = 65
>        domain logons = Yes
>        domain master = Yes
>        local master = Yes
>        preferred master = Yes
>        wins support = Yes
>
>        obey pam restrictions = Yes
>        passdb backend = tdbsam, guest
>        passwd program = /usr/bin/passwd %u
>        passwd chat = *New*UNIX*password* %n\n 
> *ReType*new*UNIX*password* %n\n 
> *passwd:*all*authentication*tokens*updated*successfully*
>        passwd chat debug = Yes
>        pam password change = Yes
>        unix password sync = Yes
>
>        syslog = 0
>        log level = 2
>        # log level max = 10
>        log file = /var/log/samba/log.%m
>        max log size = 25600
>        dns proxy = No
>        panic action = /usr/share/samba/panic-action %d
>        invalid users = root2
>
>        # paramètres samba utilisateur par defaut
>        logon drive = P:
>        logon home = \\server02\%U
>        logon path = \\server02\profiles\%U
>        logon script = %U.cmd
>
>        # gestion des comptes posix automatique :)
>        # Gestion des comptes POSIX
>        add machine script = /usr/sbin/useradd -g sambamachines -c 
> Machine -d /dev/null -s /bin/false '%u'
>        add user script = /usr/sbin/useradd -g sambausers -c 
> Utilisateur -d /dev/null -s /bin/false '%u'
>        add group script = /usr/sbin/groupadd '%g'
>        add user to group script = /usr/bin/gpasswd -a '%u' '%g'
>        delete user script = /usr/sbin/userdel -r '%u'
>        delete group script = /usr/sbin/groupdel '%g'
>        delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
>        set primary group script = /usr/sbin/usermod -g '%g' '%u'
>
>        veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
>
>        guest account = guest
>
>        hosts allow = 192.168.0. 127.
>
> # 
> ----------------------------------------------------------------------------- 
>
> # Necessaire Domaine
> # 
> ----------------------------------------------------------------------------- 
>
> [homes]
>        path = /mnt/SAN01/vd3_home2/home2/%u
>        comment = Home Directories
>        valid users = %S
>        guest ok = No
>        writable = Yes
>        create mask = 0700
>        directory mask = 0700
>        browseable = No
>
> [netlogon]
>        path = /mnt/SAN01/vd3_home2/netlogon
>        comment = Partage NetLogon
>        valid users = @sambausers @sambaguests root
>        guest ok = No
>        read only = Yes
>        browseable = No
>
> [profiles]
>        path = /mnt/SAN01/vd3_home2/profiles
>        comment = Profils utilisateurs
>        valid users = @sambausers @sambaguests root
>        guest ok = No
>        writable = Yes
>        create mode = 0700
>        browseable = No
>
> # 
> ----------------------------------------------------------------------------- 
>
> # Partages
> # 
> ----------------------------------------------------------------------------- 
>
> [vd1_echange]
>        comment = Zone d'echange.
>        path = /mnt/SAN01/vd1_echange
>        valid users = root @sambaadmins @sambaguests @User_Standard
>        guest ok = No
>        writable = Yes
>        create mask = 0770
>        directory mask = 0770
>        browseable = yes
>        # inherit permissions = yes
>        inherit acls = yes
>        hide unreadable = Yes
>        # directory security mask = 0000
>        # force directory security mode = 0777
>
>
>

-- 
Sylvain DAVID / administrateur réseau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(°)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --

More information about the samba mailing list