samba - Jun 2005 - file permission / ACL problems with Office files

Hello,

I`m experiencing major problems after having migrated from Novell to 
SLES 9.

My server configuration:
- SLES 9.0, running on an Intel XEON machine
- Samba 3.0.14a, standard bin package with ACL support
- XFS as filesystem, with ACL support
- Users are members of max. 40 Groups

My client configuration:
- running Windows 98 up to Windows XP SP2, everything included
- Office 97 up to 2003

The problem itself:
Everything is working fine, except for one thing:
After having copied all the files from Novell to SLES and setting all the
permissions using a Windows XP client, everything is fine.
But as soon as an Office user changes one of the files, the file 
permissions
are changed, and the ACL flags are lost.

It happens only if the users are creating new or saving previously created
Office documents. And only with Office docs, meaning XLS and DOC and PPT 
and
so on files.

As soon as the user creates a file using notepad or something similar, the
problem does not appear.

If the user copies one of the files with wrong permissions, the permissions
of the copied file are set right.

So it is obviously a problem concerning Office and samba, but I don't 
have a
clue where to start.

Here's my smb.conf:
-----------------------------------------------------------------
[global]
    workgroup = DBK-GROUP
    server string = Fileserver
    interfaces = 200.1.1.246/24
    passdb backend = smbpasswd:/etc/samba/smbpasswd
    username map = /etc/samba/smbusers
    load printers = yes
    printcap name = cups
    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
    logon script = logon.bat
    logon path     logon drive = H:
    logon home     domain logons = Yes
    os level = 65
    preferred master = Yes
    domain master = Yes
    dns proxy = No
    wins support = Yes
    kernel oplocks = No
    idmap uid = 1000-1999
    idmap gid = 2000-2999
    winbind uid = 1000-1999
    winbind gid = 2000-2999
    winbind use default domain = yes
    create mask = 0770
    directory mask = 0775
    force create mode = 0770
        force directory mode = 0755
    guest ok = Yes
    veto oplock files = /*.doc/*.xls/*.mdb/*.cdx/*.dbf/
    strict locking = No
    admin users = root

[netlogon]
    path = /home/samba/netlogon
    write list = @ntadmin

[homes]
    comment = Home Directories
    valid users = %S
    read only = No
    create mask = 0600
    directory mask = 0700
    guest ok = No
    browseable = No
    admin users = root

[homes$]
    path = /home
    comment = Home Directories
    valid users = root
    read only = No
    create mask = 0700
    directory mask = 0700
    guest ok = No
    browseable = No
    admin users = root

[printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    guest ok = yes
    use client driver = Yes
    browseable = No
    create mask = 0600
    admin users = root

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin, root
    force group = ntadmin
    create mask = 0664
    guest ok = No
    admin users = root

[prdeedv001]
    path = /var/tmp
    printable = Yes
    printer name = prdeedv001
    use client driver = Yes
    create mask = 0600
    admin users = root

[vol1]
    path = /data/VOL1
    valid users = @dbkusers
    read only = No
    inherit permissions = Yes
    inherit acls = Yes
    map acl inherit = Yes
    admin users = root

[vol2]
    path = /data/VOL2
    valid users = @dbkusers
    read only = No
    inherit permissions = Yes
    inherit acls = Yes
    map acl inherit = Yes
    admin users = root

[vol3]
    path = /data/VOL3
    valid users = @dbkusers,@IS-Admins
    read only = No
    inherit permissions = Yes
    inherit acls = Yes
    map acl inherit = Yes
    admin users = root

[vol4]
    path = /data/VOL4
    valid users = @dbkusers
    read only = No
    inherit permissions = Yes
    inherit acls = Yes
    map acl inherit = Yes
    admin users = root
-----------------------------------------------------------------


Any help will be greatly appreciated!
Thanks very much in advance!

hi,

although we don't have the problem with windows workstations please have 
a look at thread

[Samba] Mac OSX breaking POSIX rights with SMB/CIFS

btw: i have the same setup like you have

greez


-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137

Hi,

While searching for a resolution to my own permissions problem a few days 
ago, I saw a document related to your problem.

It is due to the way Office updates a file: it creates a new file with a
temporary
name, it deletes the old file, and then it renames the temporary file to the 
original name. That's why your ACLs are lost.

AFAIR the solution was to use default ACL entries in the upper directory so 
that the temporary file (and later the real file) receives ACLs at creation
time.
Well, that won't help much if your users are playing with specific ACLs on 
each individual file, but that's probably enough for most cases.

Although I have not tested it with this ACL case, another solution is maybe to 
use OpenOffice    ;-)

HTH
Pierre

On 30 Jun 2005 at 18:47, Eduard Panaset wrote:
> Hello,
> 
> I`m experiencing major problems after having migrated from Novell to 
> SLES 9.
> 
> My server configuration:
> - SLES 9.0, running on an Intel XEON machine
> - Samba 3.0.14a, standard bin package with ACL support
> - XFS as filesystem, with ACL support
> - Users are members of max. 40 Groups
> 
> My client configuration:
> - running Windows 98 up to Windows XP SP2, everything included
> - Office 97 up to 2003
> 
> The problem itself:
> Everything is working fine, except for one thing:
> After having copied all the files from Novell to SLES and setting all the
> permissions using a Windows XP client, everything is fine.
> But as soon as an Office user changes one of the files, the file 
> permissions
> are changed, and the ACL flags are lost.
> 
> It happens only if the users are creating new or saving previously created
> Office documents. And only with Office docs, meaning XLS and DOC and PPT 
> and
> so on files.
> 
> As soon as the user creates a file using notepad or something similar, the
> problem does not appear.
> 
> If the user copies one of the files with wrong permissions, the permissions
> of the copied file are set right.
> 
> So it is obviously a problem concerning Office and samba, but I don't 
> have a
> clue where to start.
> 
> Here's my smb.conf:
> -----------------------------------------------------------------
> [global]
>     workgroup = DBK-GROUP
>     server string = Fileserver
>     interfaces = 200.1.1.246/24
>     passdb backend = smbpasswd:/etc/samba/smbpasswd
>     username map = /etc/samba/smbusers
>     load printers = yes
>     printcap name = cups
>     socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>     logon script = logon.bat
>     logon path >     logon drive = H:
>     logon home >     domain logons = Yes
>     os level = 65
>     preferred master = Yes
>     domain master = Yes
>     dns proxy = No
>     wins support = Yes
>     kernel oplocks = No
>     idmap uid = 1000-1999
>     idmap gid = 2000-2999
>     winbind uid = 1000-1999
>     winbind gid = 2000-2999
>     winbind use default domain = yes
>     create mask = 0770
>     directory mask = 0775
>     force create mode = 0770
>         force directory mode = 0755
>     guest ok = Yes
>     veto oplock files = /*.doc/*.xls/*.mdb/*.cdx/*.dbf/
>     strict locking = No
>     admin users = root
> 
> [netlogon]
>     path = /home/samba/netlogon
>     write list = @ntadmin
> 
> [homes]
>     comment = Home Directories
>     valid users = %S
>     read only = No
>     create mask = 0600
>     directory mask = 0700
>     guest ok = No
>     browseable = No
>     admin users = root
> 
> [homes$]
>     path = /home
>     comment = Home Directories
>     valid users = root
>     read only = No
>     create mask = 0700
>     directory mask = 0700
>     guest ok = No
>     browseable = No
>     admin users = root
> 
> [printers]
>     comment = All Printers
>     path = /var/tmp
>     printable = Yes
>     guest ok = yes
>     use client driver = Yes
>     browseable = No
>     create mask = 0600
>     admin users = root
> 
> [print$]
>     comment = Printer Drivers
>     path = /var/lib/samba/drivers
>     write list = @ntadmin, root
>     force group = ntadmin
>     create mask = 0664
>     guest ok = No
>     admin users = root
> 
> [prdeedv001]
>     path = /var/tmp
>     printable = Yes
>     printer name = prdeedv001
>     use client driver = Yes
>     create mask = 0600
>     admin users = root
> 
> [vol1]
>     path = /data/VOL1
>     valid users = @dbkusers
>     read only = No
>     inherit permissions = Yes
>     inherit acls = Yes
>     map acl inherit = Yes
>     admin users = root
> 
> [vol2]
>     path = /data/VOL2
>     valid users = @dbkusers
>     read only = No
>     inherit permissions = Yes
>     inherit acls = Yes
>     map acl inherit = Yes
>     admin users = root
> 
> [vol3]
>     path = /data/VOL3
>     valid users = @dbkusers,@IS-Admins
>     read only = No
>     inherit permissions = Yes
>     inherit acls = Yes
>     map acl inherit = Yes
>     admin users = root
> 
> [vol4]
>     path = /data/VOL4
>     valid users = @dbkusers
>     read only = No
>     inherit permissions = Yes
>     inherit acls = Yes
>     map acl inherit = Yes
>     admin users = root
> -----------------------------------------------------------------
> 
> 
> Any help will be greatly appreciated!
> Thanks very much in advance!
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
>

On Thu, Jun 30, 2005 at 06:47:33PM +0200, Eduard Panaset
wrote:
> Hello,
> 
> I`m experiencing major problems after having migrated from Novell to 
> SLES 9.
> 
> My server configuration:
> - SLES 9.0, running on an Intel XEON machine
> - Samba 3.0.14a, standard bin package with ACL support
> - XFS as filesystem, with ACL support
> - Users are members of max. 40 Groups
> 
> My client configuration:
> - running Windows 98 up to Windows XP SP2, everything included
> - Office 97 up to 2003
> 
> The problem itself:
> Everything is working fine, except for one thing:
> After having copied all the files from Novell to SLES and setting all the
> permissions using a Windows XP client, everything is fine.
> But as soon as an Office user changes one of the files, the file 
> permissions
> are changed, and the ACL flags are lost.
> 
> It happens only if the users are creating new or saving previously created
> Office documents. And only with Office docs, meaning XLS and DOC and PPT 
> and
> so on files.
> 
> As soon as the user creates a file using notepad or something similar, the
> problem does not appear.
> 
> If the user copies one of the files with wrong permissions, the permissions
> of the copied file are set right.
> 
> So it is obviously a problem concerning Office and samba, but I don't 
> have a
> clue where to start.
I think this is something we've fixed for the 3.0.20 pre releases.
I'd appreciate it if you could test this in your environment (although
I appreciate that you probably won't want to put this into production).

Thanks,

	Jeremy.