[Samba] samba 3.2.5 + ACLs - read/write permission become read only
Axel Werner
mail at awerner.homeip.net
Mon May 23 04:49:17 MDT 2011
IN SHORT:
- READ+WRITE becomes READ ONLY
- OWNER ACL Permissions for "another User" affects Group ACL Permissions
Hi Experts,
we recently figured some strange behaviour on our Debian 5 (Lenny, uname
2.6.26-2-686) + Samba 2:3.2.5-4lenny14 server that i would like to
discuss here. I cannot tell apart if its a bug or just lack of
understanding. Here is the Scenario:
I got a samba shared Directory like this:
host:/someparentdirs/_AW_TEST# ls -lad .
d---rws---+ 3 root root 4096 2011-05-23 10:33 .
host:/someparentdirs/_AW_TEST#
host:/someparentdirs/_AW_TEST# getfacl .
# file: .
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
group:CCIGUESTS:rwx
mask::rwx
other::---
default:user::---
default:group::---
default:group:ALL:rwx
default:mask::rwx
default:other::---
As u can see the Groups ALL are granted RWX. ANYTHING ELSE is been set
to owner root.root with 000 Permissions.
This Directory contains several Files. a .txt a .doc and a .xls as u can
see here:
host:/someparentdirs/_AW_TEST# ls -la
total 56
d---rws---+ 3 root root 4096 2011-05-23 10:33 .
drwxrws---+ 32 root root 4096 2011-05-20 12:40 ..
----rwx---+ 1 root root 13824 2011-05-20 16:15 excel1.xls
----rwx---+ 1 root root 24 2011-05-20 16:15 file1.txt
----rwx---+ 1 root root 24064 2011-05-20 16:15 word1.doc
host:/someparentdirs/_AW_TEST#
ACLs on those Files are set similar:
host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#
NOW a given Regular Windows-User "wernera" which is MEMBER OF "ALL" is
supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At
least i would expect that.
But Fact is, that in this configuration my user "wernera" can only
access these Files "READ ONLY", independent of what Windows Application
used. He will be able to creat new files and all. But those existing
Files became READONLY for some reason.
IF i now change that ACLs to something like this (only the OWNERS Part
changed) ...
host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::rwx
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#
... the hole Thing starts to work just as expected. Even though the
"root" User should not matter here.
BTW: The User "wernera" as a regular User CAN write to those Files from
the Linux Console (via ssh using vim or such for example). So it "looks
like" Samba is handling this strangly different.
Any Ideas wtf is going on here ?????
Here are my Configs:
Kernel:
uname -r : 2.6.26-2-686
-------------------------
Samba:
dpkg -l |grep -i samba
samba 2:3.2.5-4lenny14
samba-common 2:3.2.5-4lenny14
samba-doc 2:3.2.5-4lenny14
samba-doc-pdf 2:3.2.5-4lenny14
smbldap-tools 0.9.4-1
-------------------------
ACL Tools:
dpkg -l | grep -i acl
ii acl 2.2.47-2
ii libacl1 2.2.47-2
-------------------------
Samba Config:
grep -v -e '^[[:space:]]*#' -e '^$' /etc/samba/smb.conf
[global]
domain logons = Yes
domain master = auto
workgroup = xxx
server string =
os level = 66
dns proxy = No
wins support = Yes
panic action = /usr/share/samba/panic-action %d
guest account = nobody
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
passdb backend =
ldapsam:"ldap://localhost.domain.de"
encrypt passwords = true
obey pam restrictions = yes
unix password sync = no
check password script = /sbin/crackcheck -c -d
/var/cache/cracklib/cracklib_dict
ldap suffix = dc=someou,dc=someou,dc=de
ldap admin dn =
cn=admin,dc=someou,dc=someou,dc=de
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=people
ldap idmap suffix = ou=idmap
ldap passwd sync = no
ldap ssl = start tls
ldap delete dn = no
add machine script = /usr/sbin/smbldap-useradd -t 0
-w "%u"
debug pid = yes
log level = 0 auth:3
log file = /var/log/samba/samba.log
max log size = 10000
syslog only = yes
syslog = 1000
logon drive = h:
logon home=\\host\%U
logon script = scripts\logon.cmd
logon path =
show add printer wizard = no
inherit acls = yes
inherit owner = no
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mask = 0600
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /home/netlogon
admin users = root
guest ok = yes
browsable = yes
writable = no
write list = @itadmin, root, Administrator
[I]
comment = Drive I
path = /data1/I/
browseable = yes
writable = yes
create mask = 0660
directory mask = 0770
-------------------------
THANKS FOR ANY HELP!
Best regards
Axel Werner
More information about the samba
mailing list