[Samba] Group Permissions Not Working

Peter Eriksson pen at lysator.liu.se
Tue Apr 30 19:37:47 UTC 2019 

We have seen this problem - mishandling of group access on files/directories with just “unix permissions set” on ZFS filesystems on FreeBSD. Things work fine if you disable the ZFS ACL stuff, or set an ACL on the file system objects. 

Debugging this issue it seems to boil down to the fact that FreeBSD doesn’t support extended attributes, and when generating the “fake ACL” from the unix permissions it doesn’t set the “write to attributes allowed” bits (which is "correct”) - but since Windows thinks it needs group write access to attributes or it won’t attempt to write to the objects at all… 

So we (a co-worker of mine) created the following patch which seems to solve the issue (it basically lies and adds the “write to attributes” of “write to files” is set):

--- samba-4.9.4-test/source3/modules/nfs4_acls.c        2018-07-12 10:23:36.000000000 +0200
+++ samba-4.9.4-mikha02/source3/modules/nfs4_acls.c     2019-03-04 11:29:29.263401000 +0100
@@ -380,6 +380,17 @@
                DEBUG(10, ("Windows mapped ace flags: 0x%x => 0x%x\n",
                      ace->aceFlags, win_ace_flags));

+
+               // 2019-03-04 mikael.haglund at liu.se - Dirtyhack
+               // https://bugzilla.samba.org/show_bug.cgi?id=13809
+               // Windows won't grant write access unless it have write access on attrib
+               // If write access of the data, then grant write to attribute
+               if(ace->aceMask & 0x2)
+               {
+                  ace->aceMask |= 0x000110;
+                  DEBUG(2, ("Changing ACL, adding mask for win-compability"\
+                             "new mask: %x\n", ace->aceMask));
+               }
                mask = ace->aceMask;

                /* Mapping of owner@ and group@ to creator owner and- Peter


- Peter


> On 30 Apr 2019, at 20:40, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Tue, 30 Apr 2019 18:30:17 +0000
> "Banks, David (db2d)" <db2d at virginia.edu> wrote:
> 
>> I initially started trying to use nfs4acl_xattr but ran into
>> problems. I’ll look back into it. Thanks!
>> 
> 
> So it is ZFS, I fear it will not work, freebsd has struggled with using
> ZFS and Samba.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list