Hi list, Since I've upgraded from samba 3.0.23c to 3.0.25c my ACL's don't work as expected anymore. I'm not sure where the problem is, however. The symptoms are simple: with 3.0.23c, I could grant and revoke user, group and world write access to and from files in a share. With 3.0.25c, I can't do that anymore. When I deselect group or world read access and apply the changes, I don't get an error, but the permissions aren't changed either. The release notes mention that posix acl support has been moved to a vfs module, but I'm wondering if the problem I have is there: I'm having trouble also with the normal permissions of the files. I compiled samba with --with-acl-support and --with-static-modules=vfs_posixacl, while setting 'vfs objects = posixacl' in the config stanza for the specific share, but no luck. Can anyone give me a clue to a config setting or a piece of virtual dead tree that I can read? Thanks a lot. roel Some additional info: ---/--- compile options: ./configure \ --enable-cups \ --enable-static=no \ --enable-shared=yes \ --with-fhs \ --with-acl-support \ --with-automount \ --prefix=/usr \ --localstatedir=/var \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --with-lockdir=/var/cache/samba \ --sysconfdir=/etc \ --with-configdir=/etc/samba \ --with-privatedir=/etc/samba/private \ --with-swatdir=/usr/share/swat \ --with-smbmount \ --with-quotas \ --with-syslog \ --with-utmp \ --with-libsmbclient \ --with-winbind \ --with-ldapsam \ --with-static-modules=vfs_posixacl \ ---/--- smb.conf: [global] workgroup = DEMO netbios name = TESTSERVER server string = testserver interfaces = 192.168.1.255/24 127.255.255.255/8 bind interfaces only = Yes hosts allow = 192.168.1. 127.0.0.1 encrypt passwords = Yes username map = /etc/samba/smbusers log file = /var/log/samba/samba.log max log size=350k max open files = 4000 syslog = 0 domain logons = Yes logon script = %U.bat # This is for winNT and possibly win2000 # The profile share is also needed logon path = \\testserver\%U\.profileNT # This is for win95 and win98 logon drive = H: logon home = \\testserver\%U os level = 254 preferred master = Yes domain master = Yes local master = Yes wins support = Yes time server = Yes name resolve order = host wins bcast passdb backend = ldapsam:ldap://localhost ldap suffix = dc=example,dc=tld ldap machine suffix = ou=users ldap user suffix = ou=users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=example,dc=tld idmap backend = ldap:ldap://localhost idmap uid = 10000-20000 idmap gid = 10000-20000 printing = cups min print space = 1000 vfs objects = posixacl oplocks = No level2 oplocks = No [tv] path = /tmp/tv readlist validusers = +"Domain Users" writelist = +"Domain Users" vfs objects = posixacl
The same woes about the current Samba version, 3.0.26a. See my post "ACL inherit and windows folder security settings", October 8. Eugene.
same problem for me see my post "world permissions edition" no problem with version 3.0.22 and 3.0.23
Roel van Meer writes:> Since I've upgraded from samba 3.0.23c to 3.0.25c my ACL's don't work as > expected anymore. I'm not sure where the problem is, however. The symptoms > are simple: with 3.0.23c, I could grant and revoke user, group and world > write access to and from files in a share. With 3.0.25c, I can't do that > anymore. When I deselect group or world read access and apply the changes, > I don't get an error, but the permissions aren't changed either.After reading some source code, I think I found where the problem pops up. Since 3.0.25c, the set_nt_acl() function calls append_parent_acl(), which in turn calls unix_mode(). The unix_mode() function has documentation that states that "everybody gets read bit set", which is what causes the trouble. When I comment the code that adds these ACEs to the applied set, everything works as expected. However, I'm really not sure which things (if any) will break now. Attached to this mail is a rough patch that comments the code causing the problem. It's tested insofar that basic ACL functionality works as expected, but YMMV. I've filed a bug report about this:, nr 5094. Regards, roel -------------- next part -------------- diff -ruN source.orig/smbd/posix_acls.c source/smbd/posix_acls.c --- source.orig/smbd/posix_acls.c 2007-11-15 04:15:04.000000000 +0100 +++ source/smbd/posix_acls.c 2007-11-20 16:39:11.000000000 +0100 @@ -3243,6 +3243,9 @@ * Append u/g/w. */ + /* We do not append these parent permissions, because they always cause + * user, group and world to have read access. + * It might be incorrect or inappropriate to not add these, however. status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRUSR, &new_ace[i++]); if (!NT_STATUS_IS_OK(status)) { return status; @@ -3255,6 +3258,7 @@ if (!NT_STATUS_IS_OK(status)) { return status; } + */ /* Finally append any inherited ACEs. */ for (j = 0; j < parent_sd->dacl->num_aces; j++) {