[Samba] Samba ACL bug?

H.Kitagawa fj6521er at aa.jp.fujitsu.com
Fri Jan 26 06:28:18 GMT 2007 

Hello,
My name is Hiro.

I'm using samba 3.0.21b-2(acl) and RHEL4.1(kernel 2.6.9-11.ELsmp) + AD Server

Following problem:
When the attribute of the group of the folder was set to a full control twice, 
the member of the group became inaccessible. 

I want to know this problem is BUG or SPEC.

One example

[smb.conf]
 security = ADS
 acl check permissions = no
 acl group control = no
 acl map full control = yes
 inherit acls = yes

[User]
 KITA at fjsv002 [uid=10000(KITA at fjsv002) gid=10000(KITA at domain users) groups=10000(KITA at domain users)]
 KITA at fjsv003 [uid=10002(KITA at fjsv003) gid=10000(KITA at domain users) groups=10000(KITA at domain users)]

STEP1.The folder was made by using the Explorer of Windows. 

ACL state is as follows. 
[root at sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA at fjsv002
# group: KITA at domain\040users
user::rwx
group::rwx
other::---

STEP2.The folder attribute is changed from the security tab. 

"Domain Users(KITA\Domain Users)"
  $B"*(B"full control" checked and execute.

[root at sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA at fjsv002
# group: KITA at domain\040users
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

At this point, the member of the Domain Users group can access the "testfolder". 

STEP3.The folder attribute is changed again. 

"Domain Users(KITA\Domain Users)"
  $B"*(B"full control" checked and execute.

[root at sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA at fjsv002
# group: KITA at domain\040users
user::rwx
mask::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:KITA at domain\040users:rwx
default:mask::rwx
default:other::---

Then, the member of the Domain Users group became inaccessible the folder. 

[root at sambaSV pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003
Password:
Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2]
smb: \> cd testfolder
smb: \testfolder\> ls
NT_STATUS_ACCESS_DENIED listing \testfolder\*

                32768 blocks of size 131072. 30551 blocks available
smb: \testfolder\> cd ..

*******************************
Hironori KITAGAWA

Japan
*******************************

More information about the samba mailing list