[Samba] samba 3.0.22 default ACL issue
sylvain.david at etranges-libellules.fr
sylvain.david at etranges-libellules.fr
Wed Jul 12 15:49:56 GMT 2006
Thank you Simo.
Yes, in fact, I explain this behaviour like you said : windows changes
ACLs to match that on it's own filesystem.
But it's weird because : why only on directories ? And, if this is
really a "feature" : is there any tricks to avoid it? like a registry key?
Or do I need to use a windows server to play with active directory and
security strategy?
Sylvain.
simo a écrit :
> Sylvain if I understand your problem correctly, you are getting problems
> with a Windows "feature".
>
> IIRC what happens is that when you copy a directory windows also changes
> the ACLs to match that on it's own filesystem (if it recognizes that the
> user belongs to the domain).
>
> I don't think this is a samba problem.
>
> Simo.
>
> On Wed, 2006-07-12 at 17:12 +0200, sylvain.david at etranges-libellules.fr
> wrote:
>
>> Hi,
>>
>> I sent an email on the mailing list of bestsbits
>> (http://acl.bestbits.at/pipermail/acl-devel/2006-July/001980.html)
>> because if nobody answer on this mailing list , it's probably directly
>> linked to ACLs?
>> But, I really don't know if the problem is only with bestsbits or only
>> with samba because I can reproduce the bug only in samba, not in
>> console. So this bug seems to be linked to samba ?
>>
>> Am I the only one who would like to use ACLs ? Are there any other
>> solution to have a fine grained access rules which works with samba?
>> (like trustees)
>> because if default ACLs don't works, I think using ACLs is a no sense.
>>
>> For the while - hopping sometime this bug will be fix - I use a dirty
>> script run by cron which check & fix ACLs.
>> I know it's dirty... but I have I any other choice ?
>>
>> I give up with this mistery. I'm too tired.
>>
>> sylvain.david at etranges-libellules.fr a écrit :
>>
>>> Hi,
>>>
>>> I use samba 3.0.22 as PDC on Debian with workstations under windows XP
>>> SP1 and SP2.
>>> I use ACLs to have a fine grained access rules.
>>>
>>> When I copy a directory from a client to a samba share, default ACLs
>>> are forgiven.
>>> exemple : after I copy the directory A on the samba share :
>>> getfacl A/
>>> # file: A/
>>> # owner: user1
>>> # group: sambausers
>>> user::rwx
>>> group::---
>>> other::---
>>> default:user::rwx
>>> default:group::---
>>> default:other::---
>>>
>>> But the parent directory has default ACLs, I can prove it :
>>> getfacl .
>>> # file: .
>>> # owner: user1
>>> # group: sambausers
>>> user::rwx
>>> user:root:rwx
>>> user:bacula:r-x
>>> group::---
>>> group:sambaguests:rwx
>>> group:User_Standard:rwx
>>> group:User_Lead:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:bacula:r-x
>>> default:group::---
>>> default:group:sambaguests:rwx
>>> default:group:User_Standard:rwx
>>> default:group:User_Lead:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Is it a bug ? because default ACLs are applied if I copy files. So Why
>>> different behavior between directory and files ?
>>> I noticed that it happened only to local directories which belong to
>>> MYDOMAIN\user. If the owner of the local directory is
>>> LOCALCOMPUTER\user the default ACLs is applied correctly. But once
>>> again, it concerns only directory. When the file belong to
>>> MYDOMAIN\user ACLs are applied correctly.
>>>
>>> All what I want is that default ACLs are applied all the time whatever
>>> the owner of local directory.
>>>
>>> I try to play with "directory security mask", "force directory
>>> security mode", inherit permissions without success.
>>> Thank you for your help, I really don't know what to do.
>>>
>>> My smb.conf looks like that :
>>>
>>> #
>>> -----------------------------------------------------------------------------
>>>
>>> # Global parameters
>>> #
>>> -----------------------------------------------------------------------------
>>>
>>> [global]
>>> dos charset = 850
>>> unix charset = ISO8859-1
>>> workgroup = elb-lyon
>>> netbios name = server02
>>> server string = server02.elb-lyon
>>> os level = 65
>>> domain logons = Yes
>>> domain master = Yes
>>> local master = Yes
>>> preferred master = Yes
>>> wins support = Yes
>>>
>>> obey pam restrictions = Yes
>>> passdb backend = tdbsam, guest
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat = *New*UNIX*password* %n\n
>>> *ReType*new*UNIX*password* %n\n
>>> *passwd:*all*authentication*tokens*updated*successfully*
>>> passwd chat debug = Yes
>>> pam password change = Yes
>>> unix password sync = Yes
>>>
>>> syslog = 0
>>> log level = 2
>>> # log level max = 10
>>> log file = /var/log/samba/log.%m
>>> max log size = 25600
>>> dns proxy = No
>>> panic action = /usr/share/samba/panic-action %d
>>> invalid users = root2
>>>
>>> # paramètres samba utilisateur par defaut
>>> logon drive = P:
>>> logon home = \\server02\%U
>>> logon path = \\server02\profiles\%U
>>> logon script = %U.cmd
>>>
>>> # gestion des comptes posix automatique :)
>>> # Gestion des comptes POSIX
>>> add machine script = /usr/sbin/useradd -g sambamachines -c
>>> Machine -d /dev/null -s /bin/false '%u'
>>> add user script = /usr/sbin/useradd -g sambausers -c
>>> Utilisateur -d /dev/null -s /bin/false '%u'
>>> add group script = /usr/sbin/groupadd '%g'
>>> add user to group script = /usr/bin/gpasswd -a '%u' '%g'
>>> delete user script = /usr/sbin/userdel -r '%u'
>>> delete group script = /usr/sbin/groupdel '%g'
>>> delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
>>> set primary group script = /usr/sbin/usermod -g '%g' '%u'
>>>
>>> veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/
>>>
>>> guest account = guest
>>>
>>> hosts allow = 192.168.0. 127.
>>>
>>> #
>>> -----------------------------------------------------------------------------
>>>
>>> # Necessaire Domaine
>>> #
>>> -----------------------------------------------------------------------------
>>>
>>> [homes]
>>> path = /mnt/SAN01/vd3_home2/home2/%u
>>> comment = Home Directories
>>> valid users = %S
>>> guest ok = No
>>> writable = Yes
>>> create mask = 0700
>>> directory mask = 0700
>>> browseable = No
>>>
>>> [netlogon]
>>> path = /mnt/SAN01/vd3_home2/netlogon
>>> comment = Partage NetLogon
>>> valid users = @sambausers @sambaguests root
>>> guest ok = No
>>> read only = Yes
>>> browseable = No
>>>
>>> [profiles]
>>> path = /mnt/SAN01/vd3_home2/profiles
>>> comment = Profils utilisateurs
>>> valid users = @sambausers @sambaguests root
>>> guest ok = No
>>> writable = Yes
>>> create mode = 0700
>>> browseable = No
>>>
>>> #
>>> -----------------------------------------------------------------------------
>>>
>>> # Partages
>>> #
>>> -----------------------------------------------------------------------------
>>>
>>> [vd1_echange]
>>> comment = Zone d'echange.
>>> path = /mnt/SAN01/vd1_echange
>>> valid users = root @sambaadmins @sambaguests @User_Standard
>>> guest ok = No
>>> writable = Yes
>>> create mask = 0770
>>> directory mask = 0770
>>> browseable = yes
>>> # inherit permissions = yes
>>> inherit acls = yes
>>> hide unreadable = Yes
>>> # directory security mask = 0000
>>> # force directory security mode = 0777
>>>
>>>
>>>
>>>
>> --
>> Sylvain DAVID / administrateur réseau
>>
>> adr : Etranges Libellules
>> .~. 17 Rue des Archers
>> /v\ 69002 LYON
>> /(°)\ tel : 04 72 40 24 72
>> ^^-^^ fax : 04 72 40 27 19
>>
>> www.etranges-libellules.fr
>> --
>>
>>
--
Sylvain DAVID / administrateur réseau
adr : Etranges Libellules
.~. 17 Rue des Archers
/v\ 69002 LYON
/(°)\ tel : 04 72 40 24 72
^^-^^ fax : 04 72 40 27 19
www.etranges-libellules.fr
--
More information about the samba
mailing list