[Samba] ACL problem after upgrade from 3.0.24 to 3.4.5
Marc Dequènes
mdequenes at proformatique.com
Wed Feb 10 08:30:48 MST 2010
Hello,
After upgrading from Debian Etch with samba 3.0.24-6etch10 to Lenny
with a backport of 2:3.4.5~dfsg-1 (with libtalloc2 2.0.1-1), i get a
fully working service but with a strange ACL bug : people can
create/delete/rename files, but not modify them (error "espace
insuffisant pour traiter cette commande" in french, which should
translate into "Not enough storage is available to process this
command"). In the Windows XP rights manager interface, the modify
right is missing, and adding it using the samba admin account result
in a silent failure (the interface refreshed its view and the added
rights has disappeared again). No other problem has been found, and i
cannot reproduce this problem using a smbfs mount on a GNU/Linux box.
The only strange thing i found was the result of smbcacls for a test
file and user being :
ACL:KEAspuig:ALLOWED/0x0/0x001e01ff
I don't know what is 0x001e01ff when i expected FULL (due to 'acl map
full control = true').
My smb.conf file is attached. The detailed log when trying to add the
missing right is also attached. Any help would be much appreciated.
Regards.
--
Marc Dequènes
Homepage: http://www.proformatique.com/
Proformatique - 10 bis, rue Lucien VOILIN - 92800 Puteaux
Tel. : 01 41 38 99 68 - Fax. : 01 41 38 99 70
-------------- next part --------------
#======================= Global Settings =======================
[global]
## Network ##
interfaces = lo eth0
bind interfaces only = yes
## Browsing/Identification ###
netbios name = KEAFILER1
server string = %h PDC (Samba %v)
workgroup = KEA
realm = in.kea-partners.com
wins support = yes
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
name resolve order = lmhosts host wins bcast
#### Debugging/Accounting ####
#log level = 3 auth:5 smb:10 acls:10 vfs:10
log level = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = user
null passwords = false
guest account = samba-nobody
;invalid users = root
obey pam restrictions = no
unix password sync = no
admin users = samba-admin @samba-domain-admins
passdb backend = ldapsam:ldap://ldap-master.in.kea-partners.com
# Duck: does not work (in Samba 3.0.x in Etch at least)
#ldapsam:trusted = yes
ldap ssl = no
ldap suffix = dc=kea-partners,dc=com
ldap admin dn = "cn=root,dc=kea-partners,dc=com"
ldap delete dn = yes
ldap user suffix = ou=Users,ou=OxObjects
ldap group suffix = ou=Groups,ou=OxObjects
ldap machine suffix = ou=winstations,ou=systems
ldap idmap suffix = ou=Idmap
########## Domains ###########
os level = 255
domain master = yes
local master = yes
prefered master = yes
domain logons = yes
# defined in LDAP
#logon path = \\%N\profiles\%U
#logon drive = H:
#logon home = \\%N\%U
logon script = logon.vbs
########## Printing ##########
# deactivated
load printers = no
#printing = cups
#printcap name = cups
#printer admin = @samba-domain_admins
#show add printer wizard = no
############ Misc ############
#add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
#add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
#add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
#delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
#set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#strict allocate = yes
############ ACLs ############
create mask = 0750
directory mask = 0755
force create mode = 0750
force security mode = 0700
force directory mode = 0755
# windows silliness
#veto files = /*.eml/*.nws/*.{*}/
veto files = /*.Zone.Identifier:*/
veto oplock files = /*.doc/*.xls/*.mdb/*.cdx/*.dbf/*.ppt/
strict locking = No
# needed for correct POSIX ACLs mapping
inherit acls = yes
inherit permissions = no
store dos attributes = yes
dos filetime resolution = yes
ea support = yes
map read only = Permissions
map acl inherit = yes
acl map full control = true
hide special files = yes
hide unreadable = Yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
guest ok = no
writable = yes
create mask = 0700
directory mask = 0700
root preexec = /usr/local/sbin/mksambadir home "/home/%u" "%u" "%g"
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
guest ok = yes
writable = yes
share modes = no
[profiles]
comment = Users profiles
path = /data/win-profiles
browseable = no
guest ok = no
writable = yes
create mask = 0600
directory mask = 0700
root preexec = /usr/local/sbin/mksambadir profile "/data/win-profiles/%u" "%u" "%g"
#[printers]
# comment = All Printers
# path = /var/spool/samba
# browseable = no
# printable = yes
# guest ok = yes
# writable = no
# create mask = 0600
#[print$]
# comment = Printer Drivers
# path = /var/lib/samba/printers
# browseable = yes
# guest ok = yes
# writable = no
# write list = @samba-domain-admins
[homeskel]
comment = User home directory template
path = /data/samba/home-skel/
browseable = no
guest ok = no
writable = yes
write list = @samba-domain-admins
create mask = 0755
directory mask = 0755
[profileskel]
comment = User home directory template
path = /data/samba/profile-skel/
browseable = no
guest ok = no
writable = yes
write list = @samba-domain-admins
create mask = 0755
directory mask = 0755
[data]
comment = Kea Data
browseable = yes
path = /data/kea-data
guest ok = no
writable = yes
vfs objects = full_audit
full_audit:success = rename rmdir unlink
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = ALERT
full_audit:prefix = %U|%u|%I
[secdata]
comment = Kea Secure Data
browseable = no
path = /data/kea-secdata
guest ok = no
writable = yes
deny hosts = 172.16.18.0/24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: PGP Digital Signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100210/1ab4e859/attachment.pgp>
More information about the samba
mailing list