[Samba] Full control access rights mapped as execute

Wed Apr 23 19:39:23 GMT 2008

On Wed, Apr 23, 2008 at 09:15:13PM +0200, Petr Kopecky wrote:
> Hi there,
> 
> I have some problem with Windows access rights mapping on Samba 3.0.28. I am
> using XFS filesystem and ACL is working.
> 
> This is a part of my smb.conf:
> 
>   domain logons = Yes
>   preferred master = Yes
>   map acl inherit = Yes
>   map archive = Yes
>   map hidden = Yes
>   map system = Yes
>   veto files = /*.eml/*.nws/*.{*}/
>   veto oplock files = /*.doc/*.xls/*.mdb/
>   create mask = 0755
>   directory mask = 0755
> 
>   [profiles]
>   comment = Profile Share
>   path = /data/samba/profiles
>   read only = No
>   profile acls = Yes
>   browseable = No  
> 
>   [share]
>   comment = Shared Data
>   path = /data/samba/share
>   public = No
>   writable = No
>   write list = @smbusers
>   browseable = Yes
> 
> 
> This configuration works fine for profiles where I need to map hidden and
> system flags as windows uses them. But those flags are mapped in execute
> flags not acl rights, but it works.
> 
> getfacl /data/samba/profiles/some.user
> # file: data/samba/profiles/some.user
> # owner: someuser
> # group: smbusers
> user::rwx
> group::---
> other::---
> 
> The problem is on other share. If anyone changes the premissions on the file
> then access rights are mapped to execute flag not ACL and it is very
> confusing.
> If domain user rights are set to write and modify, it is stored as group 
> execute, if others are granted for write and modify, then execute flag for
> others is set. But these flags are interpreted as system and hidden.
> Additionally all created files have owner's executable bit set which means
> archive.
> 
> Could you please help me what should I set to have DOS access rights working
> together with windows ACL? I cannot find this simple information on net :-(

As you're using xfs you should have the ability to store extended
attributes (EA's). So you can map DOS flags into EA's using the
following smb.conf setting (store in the [global] section).

        ea support = yes
        store dos attributes = yes
        map readonly = no
        map archive = no
        map system = no

Jeremy.