[Samba] ACLs under windows 7 - you do not have permissions to access

sisu . npillao at hotmail.com
Thu Jan 27 08:22:56 MST 2011 




Hi Everyone,

I have a really huge trouble with the Acls under windows 7. I use filesystem's acls under samba and it works correctly under windows xp, but it does not in w7.
I am not sure if it is a kind of bug, the case is last week I upgraded my samba 3.0 to 3.5 and my acls under w7 worked fine. Now the problem I have is if a directory is set for example with the grup 'company' and an user has this group as a primary group, windows 7 launches a notify saying: "Windows cannot access  ... you do not have permissions to access",  however, the weird case, if this user has the group 'company' as a secondary group he/she is able to get in ..

I will appreciate strongly any help or advice

Some details:


smb.conf
=======

[shared]
    path = /samba/shared
    read only = no
    force create mode = 0770
    force directory mode = 0770
    force group = root
    locking = no
    oplocks = no
    veto oplock files = /*.txt/
    net acl support = yes


ACLS
====

 getfacl Google-analytics/
# file: Google-analytics
# owner: root
# group: root
user::rwx
group::---
group:company:r-x
group:sem:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:sem:rwx
default:mask::rwx
default:other::---

 pdbedit -u mu_jangelltroa
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=COMPANY))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: jangelltroa
init_group_from_ldap: Entry found for group: 1004
init_group_from_ldap: Entry found for group: 1004
init_group_from_ldap: Entry found for group: 513
jangelltroa:1030: john angelltroa


LDAP INFO:  -GROUP -

cn: company
gid: 1004
sambaGroupMapping
sambaGroupType : 2
sambaSID: S-1-2-0      ******* I'm not sure what SID I have to put here I tried as well with a SAMBA SID  S-1-5- 21-domain-1004 and I got the same problem



One more question: Is there any problem if that group has the same name of my workgroup?
I repeat I only have this problem with windows 7, with windows XP it works great instead. 


acls log:
=====

[2011/01/27 16:16:53.079114, 10] smbd/posix_acls.c:2605(canonicalise_acl)
  canonicalise_acl: Default ace entries before arrange :
[2011/01/27 16:16:53.079128, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2011/01/27 16:16:53.079144, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-2-0 gid 1004 (COMPANY) SMB_ACL_GROUP ace_flags = 0x0 perms rwx                            <= HERE APPEARS 
[2011/01/27 16:16:53.079164, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 2. Type = allow SID = S-1-3-1 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
[2011/01/27 16:16:53.079182, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 3. Type = allow SID = S-1-22-1-603 uid 603 (hudson) SMB_ACL_USER ace_flags = 0x0 perms rwx
[2011/01/27 16:16:53.079201, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 4. Type = allow SID = S-1-3-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2011/01/27 16:16:53.079220, 10] smbd/posix_acls.c:841(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = S-1-3-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-3-1 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
  canon_ace index 2. Type = allow SID = S-1-2-0 gid 1004 (COMPANY) SMB_ACL_GROUP ace_flags = 0x0 perms rwx                             <= HERE APPEARS 
  canon_ace index 3. Type = allow SID = S-1-22-1-603 uid 603 (hudson) SMB_ACL_USER ace_flags = 0x0 perms rwx
  canon_ace index 4. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2011/01/27 16:16:53.079279, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2011/01/27 16:16:53.079293, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2011/01/27 16:16:53.079307, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079320, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079333, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079354, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079368, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff


Thank you so much for your patience. ! :)

More information about the samba mailing list