[Samba] File permissions getting destroyed with M$ software on ZFS

RegioGis regio-gis at ec.europa.eu
Tue Oct 5 06:07:08 MDT 2010 

Hi,

Thanks for your input. 
B.t.w., I use security = ADS
I tried hundreds of combinations of configurations and options, but it just
won't work.
It works rather ok if you limit it to the Unix permissions ( plain user and
group permissions ) , but as soon as you try to put an ace referring to an
AD group, it totally looses track.


example 1:

root# ls -l /pool2/gisdata
drwxrwx---+  4 ackerra  gis            4 Oct  5 10:58 d1
drwxrwx---   3 ackerra  gis            3 Oct  5 12:01 d2
drwxrwxr-x   2 regio-gis10 gis            2 Oct  5 11:55 d3

root # ls -lvd /pool2/gisdata/d1
drwxrwx---+  4 ackerra  gis            4 Oct  5 10:58 d1
     0:group:regio-users:list_directory/read_data/read_xattr/execute
         /read_attributes/read_acl:allow
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner/synchronize:file_inherit/dir_inherit:allow
     2:group@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/execute/synchronize:file_inherit/dir_inherit:allow
     3:group:regio-users:list_directory/read_data/read_xattr/execute
         /read_attributes/read_acl/synchronize:file_inherit/dir_inherit
         :allow

I mount the share (/pool2/gisdata) on a XP workstation, being AD user
'regio-gis10', memeber of AD group 'regio-users' , having no unix account.
In Windows explorer, I can see d2 and d3, but not d1

example 2:

root # ls -lvd /pool2/gisdata/d2
drwxrwx---   3 ackerra  gis            3 Oct  5 12:01 d2
     0:owner@::deny
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner:allow
     2:group@::deny
     3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/execute:allow
     4:everyone@:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow

One would think that an arbitrary AD user ( regio-gis10 in this case ) does
not have access on the directory d2, no ?
Well, it is not the case ... via samba I could create a directory dx in d2,
being the AD user 'regio-gis10'.

root # ls -l /pool2/gisdata/d2
total 3
drwxrwx---   2 regio-gis10 gis            2 Oct  5 12:01 dx

So sometimes I get extra permissions, sometimes I get too few permissions,
but it is never right ...

wbinfo, net ads and getent commands all work perfectly, and give the
accurate info though.

smb.conf :
[gisdata]
        path = /pool2/gisdata
        #admin users = ackerra
        force group = gis
        read only = no
        create mask = 0660
        directory mask = 0770
        force unknown acl user = yes
        acl check permissions = no
        inherit permissions = yes
        inherit acls = yes
        #map acl inherit = yes
        store dos attributes = yes
        easupport = yes
        map read only = no
        map archive = no
        map hidden = no
        map system = no
        vfs objects = zfsacl
        nfs4:acedup = merge
        nfs4:mode = special
        zfsacl: aceorder = dontcare

samba version is solaris bundled version 3.0.35

rgrds,



-- 
View this message in context: http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2955872.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list