[Samba] Problem with ACL and Samba

Felipe Tocchetto felipe at tocchetto.com
Thu Dec 20 23:47:48 GMT 2007 

Hey Robert

Thanks for your mail, here is what a did:

1. Set the ACLs to all dirs and files in the ADM dir:

find adm/ -type f -exec setfacl -m g:administ:rwx {} \;
find adm/ -type f -exec setfacl -m g:administ:rwx {} \;

3. Setting the default ACLs to the ADM dir:

setfacl -d -m u::rwx,g::rwx,o::--- adm/
setfacl -d -m g:administ:rwx adm/

4. Setting the default ACLs to all subdirs on ADM

find adm/ -type d -exec setfacl -d -m u::rwx,g::rwx,o::--- {} \;
find adm/ -type d -exec setfacl -d -m g:administ:rwx {} \;

5. In the Samba server I did this conf:

        valid users =  suporte,administ
        write list =  suporte,administ
        read only = No
      * force security mode = 0770
        force create mode = 0777
        force directory mode = 0777
        inherit permissions = Yes
The more important flag, that solve the problem is force security mode =
0770.

Thanks a lot for all replyes!

Felipe

On Dec 19, 2007 11:21 PM, Cybionet <cybionet at videotron.ca> wrote:

> Greeting Felipe,
>
> Here a solution for your problem (I hope so). It works for me with
> MSOffice 2000/2003.
>
> First you need to set the POSIX rights before ACL(EA). These rights will
> be the base for your "real" permissions.
>
> - Create your folder, and set 2775 or 2770 permissions.
> - The assign the owner and group to root:root (you will understand
> shortly why).
> - Now you are ready to set the ACL(EA) permissions.
>
> The use of the 2775 permissions will gave access to the folder and his
> subdirectory for the share of the files. Or use directly the 2770
> permissions to limit access and share immediately your files in the
> folder.
>
> The SGID define in this permission allow the group to never be change,
> whatever the group of the owner who create a new file ou change a
> existing file. The owner has no importance, because it will be change at
> the creation ou modification of the file (it is the goal to know who
> have made the change).
>
> The share configuration, I suggest you something like this. The only
> parameters very important is "force create mode = 660" and "directory
> mode = 770".
>
> [workspace]
>
> comment = Whatever
> path = /pat/to/my/folder
>
> browseable = yes
> read only = no
>
> force create mode = 660
> directory mode = 770
>
> csc policy = disable
>
>
> Best Regards
>
> Robert
>
> --
> Cybionet - Solution reseautique
> http://www.cybionet.com
>
> > Dear All
> >
> > I am facing a strange problem that I could not solve, so, maybe you
> > can help
> > me.
> >
> > Look at this situation:
> >
> > I created a new directory with those ACLs (through Samba using Windows
> > XP)
> >
> > [root at server /home/smb/adm]# getfacl teste
> > #file:teste
> > #owner:1002
> > #group:1006
> > user::rwx
> > group::rwx
> > group:suporte:rwx
> > group:administ:rwx
> > mask::rwx
> > other::---
> >
> > [root at server /home/smb/adm]# getfacl -d teste
> > #file:teste
> > #owner:1002
> > #group:1006
> > user::rwx
> > group::rwx
> > group:suporte:rwx
> > group:administ:rwx
> > mask::rwx
> > other::---
> >
> > My ACLs are right, ok, now I will copy a XLS file to that folder:
> >
> > [root at server /home/smb/adm]# getfacl teste/excel-test.xls
> > #file:teste/excel-test.xls
> > #owner:1002
> > #group:1006
> > user::rwx
> > group::rw-
> > group:suporte:rwx
> > group:administ:rwx
> > mask::rwx
> > other::---
> >
> > OK, the samba server inhert the permissions and the ACLs, everything
> > is fine
> > until now.
> >
> > But when I edit this file with MS Excel, and save it, look what happen
> to
> > the ACLs:
> >
> > [root at server /home/smb/adm]# getfacl teste/excel-test.xls
> > #file:teste/excel-test.xls
> > #owner:1002
> > #group:1006
> > user::rwx
> > group::---
> > group:suporte:rwx
> > mask::rwx
> > other::---
> >
> > The ACL entry "group:administ:rwx" just have gone after I save the file.
> >
> > It happens with Windows XP, Vista, Office 2003 and 2007. My samba
> > version is
> > Samba version 3.0.26a, my SO is FreeBSD 6.2. I installed samba through
> > Ports.
> >
> > Anybody knows what is wrong?
> >
> > Thanks a lot!
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>



-- 
Felipe Tocchetto

More information about the samba mailing list