[Samba] samba 3.2.5 + ACLs - read/write permission become read only

Axel Werner mail at awerner.homeip.net
Mon May 23 04:49:17 MDT 2011 

IN SHORT:
- READ+WRITE becomes READ ONLY
- OWNER ACL Permissions for "another User" affects Group ACL Permissions


Hi Experts,

we recently figured some strange behaviour on our Debian 5 (Lenny, uname 
2.6.26-2-686) + Samba 2:3.2.5-4lenny14 server that i would like to 
discuss here. I cannot tell apart if its a bug or just lack of 
understanding. Here is the Scenario:

I got a samba shared Directory like this:

host:/someparentdirs/_AW_TEST# ls -lad .
d---rws---+ 3 root root 4096 2011-05-23 10:33 .
host:/someparentdirs/_AW_TEST#


host:/someparentdirs/_AW_TEST# getfacl .
# file: .
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
group:CCIGUESTS:rwx
mask::rwx
other::---
default:user::---
default:group::---
default:group:ALL:rwx
default:mask::rwx
default:other::---


As u can see the Groups ALL are granted RWX. ANYTHING ELSE is been set 
to owner root.root with 000 Permissions.

This Directory contains several Files. a .txt a .doc and a .xls as u can 
see here:

host:/someparentdirs/_AW_TEST# ls -la
total 56
d---rws---+  3 root root  4096 2011-05-23 10:33 .
drwxrws---+ 32 root root  4096 2011-05-20 12:40 ..
----rwx---+  1 root root 13824 2011-05-20 16:15 excel1.xls
----rwx---+  1 root root    24 2011-05-20 16:15 file1.txt
----rwx---+  1 root root 24064 2011-05-20 16:15 word1.doc
host:/someparentdirs/_AW_TEST#


ACLs on those Files are set similar:

host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#



NOW a given Regular Windows-User "wernera" which is MEMBER OF "ALL" is 
supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At 
least i would expect that.

But Fact is, that in this configuration my user "wernera" can only 
access these Files "READ ONLY", independent of what Windows Application 
used. He will be able to creat new files and all. But those existing 
Files became READONLY for some reason.


IF i now change that ACLs to something like this (only the OWNERS Part 
changed) ...

host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::rwx
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#

... the hole Thing starts to work just as expected. Even though the 
"root" User should not matter here.


BTW: The User "wernera" as a regular User CAN write to those Files from 
the Linux Console (via ssh using vim or such for example). So it "looks 
like" Samba is handling this strangly different.



Any Ideas wtf is going on here ?????



Here are my Configs:


Kernel:

uname -r : 2.6.26-2-686
-------------------------

Samba:

dpkg -l |grep -i samba
samba                             2:3.2.5-4lenny14 
samba-common                      2:3.2.5-4lenny14
samba-doc                         2:3.2.5-4lenny14 
samba-doc-pdf                     2:3.2.5-4lenny14 
smbldap-tools                     0.9.4-1 
-------------------------


ACL Tools:

dpkg -l | grep -i acl
ii  acl                               2.2.47-2
ii  libacl1                           2.2.47-2

-------------------------
Samba Config:

grep -v -e '^[[:space:]]*#' -e '^$' /etc/samba/smb.conf

[global]
         domain logons = Yes
         domain master = auto
         workgroup = xxx
         server string =
         os level = 66
         dns proxy = No
         wins support = Yes
         panic action = /usr/share/samba/panic-action %d
         guest account = nobody
         socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
         passdb backend =
ldapsam:"ldap://localhost.domain.de"
         encrypt passwords = true
         obey pam restrictions = yes
         unix password sync = no
         check password script = /sbin/crackcheck -c -d
/var/cache/cracklib/cracklib_dict
         ldap suffix = dc=someou,dc=someou,dc=de
         ldap admin dn =
cn=admin,dc=someou,dc=someou,dc=de
         ldap group suffix = ou=groups
         ldap user suffix = ou=people
         ldap machine suffix = ou=people
         ldap idmap suffix = ou=idmap
         ldap passwd sync = no
         ldap ssl = start tls
         ldap delete dn = no
         add machine script = /usr/sbin/smbldap-useradd -t 0
-w "%u"
         debug pid = yes
         log level = 0 auth:3
         log file = /var/log/samba/samba.log
         max log size = 10000
         syslog only = yes
         syslog = 1000
         logon drive = h:
         logon home=\\host\%U
         logon script = scripts\logon.cmd
         logon path =
         show add printer wizard = no
         inherit acls = yes
         inherit owner = no
[homes]
    comment = Home Directories
    browseable = no
    writable = yes
    valid users = %S
    create mask = 0600
    directory mask = 0700
[netlogon]
    comment = Network Logon Service
    path = /home/netlogon
    admin users = root
    guest ok = yes
    browsable = yes
    writable = no
    write list = @itadmin, root, Administrator
[I]
    comment = Drive I
    path = /data1/I/
    browseable = yes
    writable = yes
    create mask = 0660
    directory mask = 0770

-------------------------





THANKS FOR ANY HELP!

Best regards
Axel Werner

More information about the samba mailing list