[Samba] Samba 3 handles Linux permissions differently then Samba 2 ?

Danilo Godec danilo.godec at agenda.si
Thu Jun 12 07:44:32 GMT 2008 

Hi,

we have a problem with permissions migrating from a custom 2.4 kernel Linux 
distro with Samba 2.2.5 to OpenSuSE 10.3 (with samba 3.0.26).

We used to have directories like this (relative to the Samba share):

/root/dir0/dir1/dir2/dir3/userdir1-1/userdir1-2

'root' and all it's parent directories have '0755' Linux permission.

dir0-dir3 all have '0711' permissions and belong to USER0 / GROUP0. USER0 
doesn't exist in 'smbpasswd' - everybody should be able to 'CD' into this 
directories, but shouldn't be able to list it's contents. These are several 
combinations of such directories on each samba server and we'd like to 'hide' 
them from users.

'userdir1-1' has '3750' permission, but it belongs to a group 'USERGROUP1'. 
USER1 belongs to this group and should be able to see what's in this directory, 
but nothing more.

'userdir1-2' has '3770' permissions and it also belongs to 'USERGROUP1'. USER1 
should be able to create, change and delete files.

On Windows, we use 'NET USE Q: \\samba\share /USER:USER1 PASS' to map the share.

Then we use a special program that runs in a 'CMD' prompt (it's a DOS program) 
and will access 'Q:\dir0\dir1\dir2\dir3\userdir1-1\userdir1-2' - it will try to 
create a file, then wait for server side program to process this file and create 
a new response file. It will scan the directory periodically to detect the new 
file - then it will make a clean-up (remove all files that are related to this 
process).

This works perfectly on Samba 2.2.5 and has been in use for several years.

On Samba 3.0.26 it fails, the log reports "scan dir didn't open dir 'dir0'" - 
the next line is 'ACCESS DENIED'. If we change permissions of 'dir0-dir3' to 
'0755', it works - but it is desired to keep the structure from users.

Another weird thing is that when we use 'CMD' and 'CD' into each of these 
directories, it behaves as expected - for example:

If we do this:

 > Q:
 > CD \DIR0
 > CD DIR1
 > CD DIR2
 > DIR

we get a 'Path not found' message - that's correct - users shouldn see what's in 
there. They should know what belongs to them and go there directly.

We can do this:

> Q:
> CD \DIR0
> CD DIR1
> CD DIR2
> CD DIR3
> CD USERDIR1-1
> CD USERDIR1-2
> MKDIR TEST
> RMDIR TEST

This is basically what the DOS program does...


I don't understand why it would work for regular DOS commands, but not for our 
little DOS program (which, btw. is using DOS calls for file operations - the 
programmer told me he used '5B - create-new-file', but has also changed this to 
'3C - create-file' for testing - with the same result).

Any ideas?


  Thanks for listening, Danilo

More information about the samba mailing list