[Samba] ACL strange behaviour
toni
tonign at xtec.net
Fri Apr 4 13:54:18 GMT 2008
hi john,
El Fri, 04 Apr 2008 09:12:38 -0400
John Drescher <drescherjm at gmail.com> ha escrit:
> On Fri, Apr 4, 2008 at 7:39 AM, toni <tonign at xtec.net> wrote:
> > hi,
> >
> > i'm experiencing a strange behaviour when setting ACL from Windows
> > XP clients (server is BDC with LDAP) after migrating service from
> > SLES 9.3 to SLES 10.1:
> >
> > i can't set ACL to a folder to give access to individual users
> > without allowing the group of the creator. step by step, i tried to
> > remove group permissions (which worked fine) but, when i add
> > permissions to other users, group permissions become effective for
> > the group in the directory (but no in its subfolders)
> >
> > the correct behaviour is that i can allow access to several users
> > without access for the group, and this was working after the
> > migration.
> >
> > it could be a different ACL behaviour between SLES 9 (Samba
> > 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba
> > 3.0.28-0.2-1625-SUSE-CODE10)?
> >
> > how i can get ACL working if so?
> >
> > write list = @GROUP1
> > read list = @GROUP1
> > force group = GROUP1
> > valid users = @GROUP1, @"Domain Admins"
>
> It may be just my testing but I have found when you force things like
> this (and don't just use the unix file system permissions to do the
> same thing) the acls do not work as expected.
i don't understand what you mean with "just use the unix file system
permissions":
# ls -l /data
total 4
drwxrwx--- 6 root GROUP1_W 4096 Apr 4 15:20 test
filesystem is ext3 (also tested with xfs with same result) with acl
enabled (of course)
more information, in some shares i'm using readonly and readwrite
groups:
write list = @GROUP1_W
read list = @GROUP1_R
force group = GROUP1_W
valid users = @GROUP1_R, @GROUP1_W, @"Domain Admins"
i need to use 'force group' to ensure that users in the same
(readwrite) group get access to every file created by any other group
member in the share.
example of an operation:
* create a folder inside this share (no ACL in the newly created folder)
$ getfacl /data/test/folder
# file: data/test/folder
# owner: USER1
# group: GROUP1_W
user::rwx
group::rwx
other::---
* remove group permissions via Windows XP ACL editor (must be
done denying every Windows ACL for the group):
$ getfacl /data/test/folder
# file: data/test/folder
# owner: USER1
# group: GROUP1_W
user::rwx
user:root:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:group::---
default:other::---
* add permissions for USER2:
$ getfacl /data/test/folder
# file: data/test/folder
# owner: USER1
# group: GROUP1_W
user::rwx
user:root:rwx
user:USER2:r-x
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:USER2:r-x
default:group::---
default:mask::rwx
default:other::---
as you can see, group permissions 'come back' after adding permission
for USER2!
i recall this was working with samba on SLES 9.3, so i think it may be
possible on a newer version of samba 3.0.20b (from SLES 9.3)
thanks,
toni
> John
More information about the samba
mailing list