[Samba] ACLs under Samba 3.3.0

Ryan B. Lynch ryan.lynch at id-edd.com
Fri Jan 30 20:35:24 GMT 2009

Miguel Medalha wrote:
>> Much of the ACL code has been rewritten to allow underlying
>> filesystems to implement "native" NT ACLs directly (...)
> Good!
>> but the functionality should be the same as 3.2.x when not
>> using the "experimental" ACL modules.
> I am not using the ACL modules and the functionality is definitely NOT 
> the same. My users complained immediately.

We've been working to implement Samba 3.3 at our site since December. 
We saw the same behaviour that Miguel describes since RC2, and we see it 
today in a test with the final 3.3.0 release.

We opened a bug report, #6005, but we didn't have a chance to post the 
debug logs that Volcker requested, and it's closed, now.  We will 
probably do that next week and reopen it.  Here's the link: 

I would describe the problem *slightly* differently from Miguel.  I do 
not think that ACLs are the real problem, because the bug behaviour 
exists regardless of whether you're using filesystem ACLs or not.

The problem seems to be that the configuration option 'acl map full 
control' isn't working anymore under 3.3.  This option took me a long 
time to understand, because it refers to Windows ACLs, not filesystem 
ACLs.  If the option is set (which is the default under both 3.2.7 and 
3.3.0), a user with 'rwx' UNIX permissions should get 'Full Control' 
rights under Windows.  This is regardless of whether the 'rwx' 
permissions come from the base UNIX permissions or POSIX ACLs.

3.2.7 works as the man page describes, but 3.3.0 does not.  Under 3.3.0, 
a user with 'rwx' will have every Windows right except for 'Delete' and 
'Full Control'.  Even the file's owner will lack those two rights. 
Nonetheless, the owner will be able to delete or rename the file, but 
not any other users, even if they apparently have identical rights.

Also, this behaviour seems to persist whether you explicitly turn 'acl 
map full control' on or off.  We also tried a few dozen combinations of 
other permission, ownership, and ACL-related options in 'smb.conf', and 
none of them worked.



Ryan B. Lynch
Innovative Discovery, LLC
ryan.lynch at id-edd.com

More information about the samba mailing list