Hi list,
Since I've upgraded from samba 3.0.23c to 3.0.25c my ACL's don't
work as
expected anymore. I'm not sure where the problem is, however. The symptoms
are simple: with 3.0.23c, I could grant and revoke user, group and world
write access to and from files in a share. With 3.0.25c, I can't do that
anymore. When I deselect group or world read access and apply the changes,
I don't get an error, but the permissions aren't changed either.
The release notes mention that posix acl support has been moved to a vfs
module, but I'm wondering if the problem I have is there: I'm having
trouble
also with the normal permissions of the files.
I compiled samba with --with-acl-support and
--with-static-modules=vfs_posixacl, while setting 'vfs objects =
posixacl'
in the config stanza for the specific share, but no luck.
Can anyone give me a clue to a config setting or a piece of virtual dead
tree that I can read?
Thanks a lot.
roel
Some additional info:
---/---
compile options:
./configure \
--enable-cups \
--enable-static=no \
--enable-shared=yes \
--with-fhs \
--with-acl-support \
--with-automount \
--prefix=/usr \
--localstatedir=/var \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--with-lockdir=/var/cache/samba \
--sysconfdir=/etc \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba/private \
--with-swatdir=/usr/share/swat \
--with-smbmount \
--with-quotas \
--with-syslog \
--with-utmp \
--with-libsmbclient \
--with-winbind \
--with-ldapsam \
--with-static-modules=vfs_posixacl \
---/---
smb.conf:
[global]
workgroup = DEMO
netbios name = TESTSERVER
server string = testserver
interfaces = 192.168.1.255/24 127.255.255.255/8
bind interfaces only = Yes
hosts allow = 192.168.1. 127.0.0.1
encrypt passwords = Yes
username map = /etc/samba/smbusers
log file = /var/log/samba/samba.log
max log size=350k
max open files = 4000
syslog = 0
domain logons = Yes
logon script = %U.bat
# This is for winNT and possibly win2000
# The profile share is also needed
logon path = \\testserver\%U\.profileNT
# This is for win95 and win98
logon drive = H:
logon home = \\testserver\%U
os level = 254
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
time server = Yes
name resolve order = host wins bcast
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=example,dc=tld
ldap machine suffix = ou=users
ldap user suffix = ou=users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=tld
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
min print space = 1000
vfs objects = posixacl
oplocks = No
level2 oplocks = No
[tv]
path = /tmp/tv
readlist validusers = +"Domain Users"
writelist = +"Domain Users"
vfs objects = posixacl
The same woes about the current Samba version, 3.0.26a. See my post "ACL inherit and windows folder security settings", October 8. Eugene.
same problem for me see my post "world permissions edition" no problem with version 3.0.22 and 3.0.23
Roel van Meer writes:> Since I've upgraded from samba 3.0.23c to 3.0.25c my ACL's don't work as > expected anymore. I'm not sure where the problem is, however. The symptoms > are simple: with 3.0.23c, I could grant and revoke user, group and world > write access to and from files in a share. With 3.0.25c, I can't do that > anymore. When I deselect group or world read access and apply the changes, > I don't get an error, but the permissions aren't changed either.After reading some source code, I think I found where the problem pops up. Since 3.0.25c, the set_nt_acl() function calls append_parent_acl(), which in turn calls unix_mode(). The unix_mode() function has documentation that states that "everybody gets read bit set", which is what causes the trouble. When I comment the code that adds these ACEs to the applied set, everything works as expected. However, I'm really not sure which things (if any) will break now. Attached to this mail is a rough patch that comments the code causing the problem. It's tested insofar that basic ACL functionality works as expected, but YMMV. I've filed a bug report about this:, nr 5094. Regards, roel -------------- next part -------------- diff -ruN source.orig/smbd/posix_acls.c source/smbd/posix_acls.c --- source.orig/smbd/posix_acls.c 2007-11-15 04:15:04.000000000 +0100 +++ source/smbd/posix_acls.c 2007-11-20 16:39:11.000000000 +0100 @@ -3243,6 +3243,9 @@ * Append u/g/w. */ + /* We do not append these parent permissions, because they always cause + * user, group and world to have read access. + * It might be incorrect or inappropriate to not add these, however. status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRUSR, &new_ace[i++]); if (!NT_STATUS_IS_OK(status)) { return status; @@ -3255,6 +3258,7 @@ if (!NT_STATUS_IS_OK(status)) { return status; } + */ /* Finally append any inherited ACEs. */ for (j = 0; j < parent_sd->dacl->num_aces; j++) {