[Samba] ACL strange behaviour

toni tonign at xtec.net
Fri Apr 4 11:39:58 GMT 2008


i'm experiencing a strange behaviour when setting ACL from Windows XP
clients (server is BDC with LDAP) after migrating service from SLES 9.3
to SLES 10.1:

i can't set ACL to a folder to give access to individual users without
allowing the group of the creator. step by step, i tried to remove group
permissions (which worked fine) but, when i add permissions to other
users, group permissions become effective for the group in the
directory (but no in its subfolders)

the correct behaviour is that i can allow access to several users
without access for the group, and this was working after the migration.

it could be a different ACL behaviour between SLES 9 (Samba
3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba 3.0.28-0.2-1625-SUSE-CODE10)?

how i can get ACL working if so?

information about my configuration:
 * users become to a common group (ie, group1) to get access to shares
 * shares are 770 (owner root, group group1)
 * smb config for shares:
    path = /data/test
    read only = no
    browseable = no
    create mask = 0660
    directory mask = 0770
    write list = @GROUP1
    read list = @GROUP1
    force group = GROUP1
    valid users = @GROUP1, @"Domain Admins"
 * smb global config (relevant)
    netbios name = server
    workgroup = wg
    security = user
    os level = 45
    preferred master = no
    domain master = no
    local master = yes
    mangling method = hash2
    encrypt passwords = yes
    domain logons = yes
    logon path =
    passdb backend = ldapsam:"ldap://localhost"
    ldap suffix = dc=wg,dc=intranet 
    ldap admin dn = cn=Manager,dc=wg,dc=intranet 
    ldap ssl = yes 
    ldap machine suffix = ou=Machines
    ldap user suffix = ou=Users 
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap passwd sync = Yes
    ldap delete dn = Yes
    enable privileges = yes
    unix password sync = no
    unix extensions = no
    nt acl support = yes
    inherit acls = yes

thanks in advance,


More information about the samba mailing list