[Samba] ACL problem after upgrade from 3.0.24 to 3.4.5

Marc Dequènes mdequenes at proformatique.com
Wed Feb 10 08:30:48 MST 2010 

Hello,

After upgrading from Debian Etch with samba 3.0.24-6etch10 to Lenny  
with a backport of 2:3.4.5~dfsg-1 (with libtalloc2 2.0.1-1), i get a  
fully working service but with a strange ACL bug : people can  
create/delete/rename files, but not modify them (error "espace  
insuffisant pour traiter cette commande" in french, which should  
translate into "Not enough storage is available to process this  
command"). In the Windows XP rights manager interface, the modify  
right is missing, and adding it using the samba admin account result  
in a silent failure (the interface refreshed its view and the added  
rights has disappeared again). No other problem has been found, and i  
cannot reproduce this problem using a smbfs mount on a GNU/Linux box.  
The only strange thing i found was the result of smbcacls for a test  
file and user being :
   ACL:KEAspuig:ALLOWED/0x0/0x001e01ff
I don't know what is 0x001e01ff when i expected FULL (due to 'acl map  
full control = true').

My smb.conf file is attached. The detailed log when trying to add the  
missing right is also attached. Any help would be much appreciated.

Regards.

-- 
Marc Dequènes
Homepage: http://www.proformatique.com/
Proformatique - 10 bis, rue Lucien VOILIN - 92800 Puteaux
Tel. : 01 41 38 99 68 - Fax. : 01 41 38 99 70
-------------- next part --------------
#======================= Global Settings =======================

[global]

## Network ##

interfaces = lo eth0
bind interfaces only = yes


## Browsing/Identification ###

netbios name = KEAFILER1
server string = %h PDC (Samba %v)

workgroup = KEA
realm = in.kea-partners.com

wins support = yes
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
name resolve order = lmhosts host wins bcast


#### Debugging/Accounting ####

#log level = 3 auth:5 smb:10 acls:10 vfs:10
log level = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d


####### Authentication #######

security = user
null passwords = false
guest account = samba-nobody
;invalid users = root
obey pam restrictions = no
unix password sync = no

admin users = samba-admin @samba-domain-admins

passdb backend = ldapsam:ldap://ldap-master.in.kea-partners.com
# Duck: does not work (in Samba 3.0.x in Etch at least)
#ldapsam:trusted = yes
ldap ssl = no
ldap suffix = dc=kea-partners,dc=com
ldap admin dn = "cn=root,dc=kea-partners,dc=com"
ldap delete dn = yes
ldap user suffix = ou=Users,ou=OxObjects
ldap group suffix = ou=Groups,ou=OxObjects
ldap machine suffix = ou=winstations,ou=systems
ldap idmap suffix = ou=Idmap


########## Domains ###########

os level = 255
domain master = yes
local master = yes
prefered master = yes

domain logons = yes
# defined in LDAP
#logon path = \\%N\profiles\%U
#logon drive = H:
#logon home = \\%N\%U
logon script = logon.vbs


########## Printing ##########

# deactivated
load printers = no
#printing = cups
#printcap name = cups
#printer admin = @samba-domain_admins
#show add printer wizard = no


############ Misc ############

#add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
#add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
#add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
#delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
#set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

#strict allocate = yes


############ ACLs ############

create mask = 0750
directory mask = 0755
force create mode = 0750
force security mode = 0700
force directory mode = 0755

# windows silliness
#veto files = /*.eml/*.nws/*.{*}/
veto files = /*.Zone.Identifier:*/
veto oplock files = /*.doc/*.xls/*.mdb/*.cdx/*.dbf/*.ppt/
strict locking = No

# needed for correct POSIX ACLs mapping
inherit acls = yes
inherit permissions = no
store dos attributes = yes
dos filetime resolution = yes
ea support = yes
map read only = Permissions
map acl inherit = yes
acl map full control = true

hide special files = yes
hide unreadable = Yes


#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no
   guest ok = no
   writable = yes
   create mask = 0700
   directory mask = 0700
   root preexec = /usr/local/sbin/mksambadir home "/home/%u" "%u" "%g"
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

[netlogon]
   comment = Network Logon Service
   path = /data/samba/netlogon
   guest ok = yes
   writable = yes
   share modes = no

[profiles]
   comment = Users profiles
   path = /data/win-profiles
   browseable = no
   guest ok = no
   writable = yes
   create mask = 0600
   directory mask = 0700
   root preexec = /usr/local/sbin/mksambadir profile "/data/win-profiles/%u" "%u" "%g"

#[printers]
#   comment = All Printers
#   path = /var/spool/samba
#   browseable = no
#   printable = yes
#   guest ok = yes
#   writable = no
#   create mask = 0600

#[print$]
#   comment = Printer Drivers
#   path = /var/lib/samba/printers
#   browseable = yes
#   guest ok = yes
#   writable = no
#   write list = @samba-domain-admins

[homeskel]
   comment = User home directory template
   path = /data/samba/home-skel/
   browseable = no
   guest ok = no
   writable = yes
   write list = @samba-domain-admins
   create mask = 0755
   directory mask = 0755

[profileskel]
   comment = User home directory template
   path = /data/samba/profile-skel/
   browseable = no
   guest ok = no
   writable = yes
   write list = @samba-domain-admins
   create mask = 0755
   directory mask = 0755

[data]
   comment = Kea Data
   browseable = yes
   path = /data/kea-data
   guest ok = no
   writable = yes
   vfs objects = full_audit
   full_audit:success = rename rmdir unlink
   full_audit:failure = none
   full_audit:facility = LOCAL7
   full_audit:priority = ALERT
   full_audit:prefix = %U|%u|%I

[secdata]
   comment = Kea Secure Data
   browseable = no
   path = /data/kea-secdata
   guest ok = no
   writable = yes
   deny hosts = 172.16.18.0/24

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: PGP Digital Signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100210/1ab4e859/attachment.pgp>

More information about the samba mailing list