samba - Jan 2007 - Samba ACL bug?

Hello,
My name is Hiro.

I'm using samba 3.0.21b-2(acl) and RHEL4.1(kernel 2.6.9-11.ELsmp) + AD
Server

Following problem:
When the attribute of the group of the folder was set to a full control twice, 
the member of the group became inaccessible. 

I want to know this problem is BUG or SPEC.

One example

[smb.conf]
 security = ADS
 acl check permissions = no
 acl group control = no
 acl map full control = yes
 inherit acls = yes

[User]
 KITA@fjsv002 [uid=10000(KITA@fjsv002) gid=10000(KITA@domain users)
groups=10000(KITA@domain users)]
 KITA@fjsv003 [uid=10002(KITA@fjsv003) gid=10000(KITA@domain users)
groups=10000(KITA@domain users)]

STEP1.The folder was made by using the Explorer of Windows. 

ACL state is as follows. 
[root@sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA@fjsv002
# group: KITA@domain\040users
user::rwx
group::rwx
other::---

STEP2.The folder attribute is changed from the security tab. 

"Domain Users(KITA\Domain Users)"
  $B"*(B"full control" checked and execute.

[root@sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA@fjsv002
# group: KITA@domain\040users
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

At this point, the member of the Domain Users group can access the
"testfolder".

STEP3.The folder attribute is changed again. 

"Domain Users(KITA\Domain Users)"
  $B"*(B"full control" checked and execute.

[root@sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA@fjsv002
# group: KITA@domain\040users
user::rwx
mask::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:KITA@domain\040users:rwx
default:mask::rwx
default:other::---

Then, the member of the Domain Users group became inaccessible the folder. 

[root@sambaSV pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003
Password:
Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2]
smb: \> cd testfolder
smb: \testfolder\> ls
NT_STATUS_ACCESS_DENIED listing \testfolder\*

                32768 blocks of size 131072. 30551 blocks available
smb: \testfolder\> cd ..

*******************************
Hironori KITAGAWA

Japan
*******************************

Hello,
My name is Hiro.

I'm using samba 3.0.21b-2(acl) and RHEL4.1(kernel 2.6.9-11.ELsmp) + AD
Server

Following problem:
When the attribute of the group of the folder was set to a full control twice, 
the member of the group became inaccessible. 

I want to know this problem is BUG or SPEC.

One example

[smb.conf]
 security = ADS
 acl check permissions = no
 acl group control = no
 acl map full control = yes
 inherit acls = yes

[User]
 KITA@fjsv002 [uid=10000(KITA@fjsv002) gid=10000(KITA@domain users)
groups=10000(KITA@domain users)]
 KITA@fjsv003 [uid=10002(KITA@fjsv003) gid=10000(KITA@domain users)
groups=10000(KITA@domain users)]

STEP1.The folder was made by using the Explorer of Windows. 

ACL state is as follows. 
[root@sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA@fjsv002
# group: KITA@domain\040users
user::rwx
group::rwx
other::---

STEP2.The folder attribute is changed from the security tab. 

"Domain Users(KITA\Domain Users)"
  $B"*(B"full control" checked and execute.

[root@sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA@fjsv002
# group: KITA@domain\040users
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:other::---

At this point, the member of the Domain Users group can access the
"testfolder".

STEP3.The folder attribute is changed again. 

"Domain Users(KITA\Domain Users)"
  $B"*(B"full control" checked and execute.

[root@sambaSV pub]# getfacl testfolder
# file: testfolder
# owner: KITA@fjsv002
# group: KITA@domain\040users
user::rwx
mask::rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:KITA@domain\040users:rwx
default:mask::rwx
default:other::---

Then, the member of the Domain Users group became inaccessible the folder. 

[root@sambaSV pub]# smbclient '//sambaSV/SMBpublic' -U fjsv003
Password:
Domain=[KITA] OS=[Unix] Server=[Samba 3.0.21b-2]
smb: \> cd testfolder
smb: \testfolder\> ls
NT_STATUS_ACCESS_DENIED listing \testfolder\*

                32768 blocks of size 131072. 30551 blocks available
smb: \testfolder\> cd ..

*******************************
Hironori KITAGAWA

Japan
*******************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hiro,
> [root@sambaSV pub]# getfacl testfolder
> # file: testfolder
> # owner: KITA@fjsv002
> # group: KITA@domain\040users
> user::rwx
> mask::rwx
> mask::rwx
> other::---
Any idea why the mask listed twice here.  What file system is
this?
> default:user::rwx
> default:group::rwx
> default:group:KITA@domain\040users:rwx
> default:mask::rwx
> default:other::---
>
> Then, the member of the Domain Users group became inaccessible
> the folder.
>
The default aces are not used to determine access to a folder.
Only for files and subfolders created within the directory.
So that shouldn't make any difference.  I would suggest
looking at a level 10 debug log from smbd and seeing
the root cause of the ACCESS_DENIED error.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFvtIrIR7qMdg1EfYRAk1HAJ4wN/V2dOtksgEDGoVKZhdCNHMyegCgrxFF
gWbdDPOh+8JwxrxRBtPt3oA=MRuR
-----END PGP SIGNATURE-----