[Samba] Samba 3.0.33 ACL rename/delete issue

Krigler Pavol krigler at energotel.sk
Wed May 19 08:41:01 MDT 2010 

Hello,

I have noticed some ALC issues with files and directories. I use samba
server 3.0.33 on CentOS 4.8 joined to Windows 2003 domain. Everything
works fine, all users are authenticated to domain controller. My aim is
to give FULL ACCESS (open/read/write/rename/delete..) to directory
"testdir" to two users, john and mark without using groups because I
have no permissions on domain controller (only add server to domain).
Permissions of "testdir":

getfacl testdir
# file: testdir
# owner: techadmin
# group: root
user::rwx
user:john:rwx
user:mark:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:mark:rwx
default:mask::rwx
default:other::---

The problem is that users john and mark have rwx permissions, they are
able to create file, modify but _not_ delete neither rename the file
under "testdir". Only owner of the directory "testdir" - user techadmin
is able to delete/rename files under directory. As far as I know, only
owner of the up level directory can delete or rename file(s). The
question is: how is possible to allow both users to delete/modify files
under "testdir" directory without using (domain) groups ? 
Filesystem ext3 is mounted with ACL options, SELinux enabled, audit.log
has not deny entries, and the configuration of samba is following:

[global]
   workgroup = ad
   server string = Intranet
   netbios name = IS
   follow symlinks=yes
inherit permissions = no
   realm = AD.DOMAIN.ORG
   server signing = auto
   security = ads
   password server = 10.20.30.40
  encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = no
domain master = no
preferred master = no
   dns proxy = no
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = no

[tech]
   comment = Technical department
   path = /var/opt/intranet/tech
   public = yes
   writable = yes
   create mask = 0664
   directory mask = 0775
   browseable = yes



Thanks,

Krigler Pavol

More information about the samba mailing list