[Samba] permission/acl troubles

Roel van Meer rolek at alt001.com
Tue Oct 9 14:16:51 GMT 2007

Hi list,

Since I've upgraded from samba 3.0.23c to 3.0.25c my ACL's don't work as 
expected anymore. I'm not sure where the problem is, however. The symptoms 
are simple: with 3.0.23c, I could grant and revoke user, group and world 
write access to and from files in a share. With 3.0.25c, I can't do that 
anymore. When I deselect group or world read access and apply the changes, 
I don't get an error, but the permissions aren't changed either.

The release notes mention that posix acl support has been moved to a vfs 
module, but I'm wondering if the problem I have is there: I'm having trouble 
also with the normal permissions of the files.

I compiled samba with --with-acl-support and 
--with-static-modules=vfs_posixacl, while setting 'vfs objects = posixacl' 
in the config stanza for the specific share, but no luck.

Can anyone give me a clue to a config setting or a piece of virtual dead 
tree that I can read?

Thanks a lot.


Some additional info:
compile options:
./configure \
  --enable-cups \
  --enable-static=no \
  --enable-shared=yes \
  --with-fhs \
  --with-acl-support \
  --with-automount \
  --prefix=/usr \
  --localstatedir=/var \
  --bindir=/usr/bin \
  --sbindir=/usr/sbin \
  --with-lockdir=/var/cache/samba \
  --sysconfdir=/etc \
  --with-configdir=/etc/samba \
  --with-privatedir=/etc/samba/private \
  --with-swatdir=/usr/share/swat \
  --with-smbmount \
  --with-quotas \
  --with-syslog \
  --with-utmp \
  --with-libsmbclient \
  --with-winbind \
  --with-ldapsam \
  --with-static-modules=vfs_posixacl \

        workgroup = DEMO
        netbios name = TESTSERVER
        server string = testserver

        interfaces =
        bind interfaces only = Yes
        hosts allow = 192.168.1.

        encrypt passwords = Yes
        username map = /etc/samba/smbusers

        log file = /var/log/samba/samba.log
        max log size=350k
        max open files = 4000
        syslog = 0

        domain logons = Yes
        logon script = %U.bat
        # This is for winNT and possibly win2000
        # The profile share is also needed
        logon path = \\testserver\%U\.profileNT
        # This is for win95 and win98
        logon drive = H:
        logon home = \\testserver\%U

        os level = 254
        preferred master = Yes
        domain master = Yes
        local master = Yes

        wins support = Yes
        time server = Yes
        name resolve order = host wins bcast

        passdb backend = ldapsam:ldap://localhost
        ldap suffix = dc=example,dc=tld
        ldap machine suffix = ou=users
        ldap user suffix = ou=users
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=admin,dc=example,dc=tld
        idmap backend = ldap:ldap://localhost
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        printing = cups
        min print space = 1000
        vfs objects = posixacl

        oplocks = No
        level2 oplocks = No

        path = /tmp/tv
        readlist =
        validusers = +"Domain Users"
        writelist = +"Domain Users"
        vfs objects = posixacl

More information about the samba mailing list