[Samba] nt acl inheritance

[Felix Joussein]

Is there any solution / Work around to make this work in current samba 
releases, can one expect this to be resolved some time?

Felix


Am 2011-05-22 01:24, schrieb TAKAHASHI Motonobu:
> From: Felix Joussein<felix.joussein at gmx.at>
> Date: Mon, 16 May 2011 13:42:44 +0200
>
>> I've observed the following missbehaivoure, while playing around with nc
>> acl's. (see relevant configuration below):
>>
>> Working with Windows XP:
>>
>> Open acl enabled share
>> Set default share permissions by right click on the explorer's top left
>> clip control ->  properties.
>> Under security I remove the CREATOR-OWNER and CREATORUSER Group, as I
>> already know, that these two default groups cause trouble while saving
>> acl's and result in a Windows Error Message "Invalid Parameter". Also I
>> set some default security settings for users and groups accordingly to
>> my needs and I apply it to This Folder, and any sub folder or file.
>>
>> After applying to all new settings, I create a folder.
>> As expected my default share security settings have been inherited to
>> the new folder.
>> I add an additional user to the acl and take care, that the inheritance
>> is also "Folder, sub folder and file".
>>
>> I create a new sub folder to this one and check the acl.
>> Here is the unwanted behavior: The new sub folder got user permissions
>> from it's parent folder, but unlike the default share permissions which
>> have been inherited, the additional user's permissions have not been
>> inherited but have been copied. When I set the option "Inherit
>> permissions to sub elements as far as applicable", and apply, then a new
>> acl entry is created with the same user but this time inherited. Now I
>> can delete the copied settings, and apply to everything.
>>
>> I hope, these explanations where clear enough.
>>
>> Here now the configuration:
>>
>> Version: 3.5.8~dfsg-1ubuntu2.1
>> smb.conf:
>> [acl]
>>           comment = ACL Labor
>>           path = /home/acllabor
>>           vfs objects = acl_xattr
>>           read only = no
>>           browsable = yes
>>           valid users = me,you
>>           acl map full control = false
>>           inherit acls = yes
>>           map acl inherit = yes
>>           map read only = Permissions
>>           map archive = no
>>           map hidden = no
>>           map system = no
>>           nt acl support = yes
>>           acl group control = true
>>           dos filemode = yes
>>           enable privileges = yes
>>           store dos attributes = yes
>>
>> mount options:
>> /dev/mapper/system-user on /home type ext4
>> (rw,errors=remount-ro,acl,user_xattr,)
> AFAIK, "map acl inherit = yes" does not work well:
>    https://bugzilla.samba.org/show_bug.cgi?id=6841
>
> Also acl_xattr will not work as you expected, because even if you
> enable acl_xattr, POSIX ACL semantics is still used in actual access
> control and inheriting ACLs.
>
> P.S.
>
> "map read only" parameter is always ignored when "store dos attributes
> = yes".
>
> ---
> TAKAHASHI Motonobu<monyo at samba.gr.jp>
>