[Samba] ACL inherit and windows folder security settings

E.V. Suprun sev at bsuir.by
Mon Oct 8 14:10:47 GMT 2007 

We have the following share:

[users]
        path = /home
        read only = No
        inherit acls = yes
        inherit permissions = yes
        inherit owner = yes

the /home permissions are:
drwxr-xr-x  ... root root ... /home

There are /home/user1, /home/user2, ... folders.  When they are created
their permissions are set like this:

drwx--Sr-x  ... user1 "Domain Users" ... /home/user1

The server is a SuSE 9.3 Samba/LDAP PDC working fine. Granting no
access to "Domain Users" to /home/user1 makes impossible to user2, user3
... to go into the home folder of user1. The setgid flag makes all files
and folders inside /home/user1 belong to the same group "Domain Users.
The users may have /home/????/public_html folder, so we need access to
other (non-Domain-Users) users, e.g. wwwrun running the apache server.

User1 may grant access to e.g. user3, by changing \\SERVER\USERS\user1
folder security properties on a Windows workstation. We work now with
Samba 3.0.23d, and the only caveat is that Everyone (other) get "No
access" along with Read access, but this is fixed simply by granting
read access to Everyone (other) explicitely. Then the user1 may
propagate the  \\SERVER\USERS\user1 security settings into his home
folder. In the same way the User1 may revoke access from user3 to e.g.
\\SERVER\USERS\user1\public_html or to his other folder.

That works in Samba 3.0.23d, but doesn't function in the current
version (3.0.26a), and in some previous versions I tried earlier. I
tried various config settings concerning acls but with no success. In
other words, I failed to find out a way to stop the inheritance of ACLs
at the level of a folder in the current Samba version. The only way is
setfacl -x ..., setfacl -b ... from a linux shell, which is surely not
convenient for a Windows user.

Another bad thing is when propagating the security settings of a
\\SERVER\USERS\user1folder, e.g. with the settings like this: user1 -
full access, user3 - read, domain users - no access, everyone (other) -
read. After the propagation all files & folders have "domain users -
read access" (?!). I'm still working with Samba 3.0.23d which doesn't
have that bevaviour. Well, the current Samba version propagates also the
rights of the root user and root group to the \\SERVER\USERS\user1
folder from /home, but that can be tolerated.

I believe the configuration like mine may be popular. If anyone has a
share used in a similar way, and his users work fine with
granting/revoking/propagating permissions in the current Samba version
from Windows workstations, an advice would be greately appreciated.

More information about the samba mailing list