samba - Oct 2007 - permission/acl troubles

Hi list,

Since I've upgraded from samba 3.0.23c to 3.0.25c my ACL's don't
work as
expected anymore. I'm not sure where the problem is, however. The symptoms 
are simple: with 3.0.23c, I could grant and revoke user, group and world 
write access to and from files in a share. With 3.0.25c, I can't do that 
anymore. When I deselect group or world read access and apply the changes, 
I don't get an error, but the permissions aren't changed either.

The release notes mention that posix acl support has been moved to a vfs 
module, but I'm wondering if the problem I have is there: I'm having
trouble
also with the normal permissions of the files.

I compiled samba with --with-acl-support and 
--with-static-modules=vfs_posixacl, while setting 'vfs objects =
posixacl'
in the config stanza for the specific share, but no luck.

Can anyone give me a clue to a config setting or a piece of virtual dead 
tree that I can read?

Thanks a lot.

roel


Some additional info:
---/---
compile options:
./configure \
  --enable-cups \
  --enable-static=no \
  --enable-shared=yes \
  --with-fhs \
  --with-acl-support \
  --with-automount \
  --prefix=/usr \
  --localstatedir=/var \
  --bindir=/usr/bin \
  --sbindir=/usr/sbin \
  --with-lockdir=/var/cache/samba \
  --sysconfdir=/etc \
  --with-configdir=/etc/samba \
  --with-privatedir=/etc/samba/private \
  --with-swatdir=/usr/share/swat \
  --with-smbmount \
  --with-quotas \
  --with-syslog \
  --with-utmp \
  --with-libsmbclient \
  --with-winbind \
  --with-ldapsam \
  --with-static-modules=vfs_posixacl \

---/---
smb.conf:
[global]
        workgroup = DEMO
        netbios name = TESTSERVER
        server string = testserver

        interfaces = 192.168.1.255/24 127.255.255.255/8
        bind interfaces only = Yes
        hosts allow = 192.168.1. 127.0.0.1

        encrypt passwords = Yes
        username map = /etc/samba/smbusers

        log file = /var/log/samba/samba.log
        max log size=350k
        max open files = 4000
        syslog = 0

        domain logons = Yes
        logon script = %U.bat
        # This is for winNT and possibly win2000
        # The profile share is also needed
        logon path = \\testserver\%U\.profileNT
        # This is for win95 and win98
        logon drive = H:
        logon home = \\testserver\%U

        os level = 254
        preferred master = Yes
        domain master = Yes
        local master = Yes

        wins support = Yes
        time server = Yes
        name resolve order = host wins bcast

        passdb backend = ldapsam:ldap://localhost
        ldap suffix = dc=example,dc=tld
        ldap machine suffix = ou=users
        ldap user suffix = ou=users
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=admin,dc=example,dc=tld
        idmap backend = ldap:ldap://localhost
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        printing = cups
        min print space = 1000
        vfs objects = posixacl

        oplocks = No
        level2 oplocks = No

[tv]
        path = /tmp/tv
        readlist         validusers = +"Domain Users"
        writelist = +"Domain Users"
        vfs objects = posixacl

The same woes about the current Samba version, 3.0.26a. See my post "ACL
inherit and windows folder security settings", October 8.

Eugene.

same problem for me

see my post  "world permissions edition"

no problem with version 3.0.22 and 3.0.23

Roel van Meer writes:
> Since I've upgraded from samba 3.0.23c to 3.0.25c my ACL's
don't work as
> expected anymore. I'm not sure where the problem is, however. The
symptoms
> are simple: with 3.0.23c, I could grant and revoke user, group and world 
> write access to and from files in a share. With 3.0.25c, I can't do
that
> anymore. When I deselect group or world read access and apply the changes, 
> I don't get an error, but the permissions aren't changed either.
After reading some source code, I think I found where the problem pops up.
Since 3.0.25c, the set_nt_acl() function calls append_parent_acl(), which in 
turn calls unix_mode(). The unix_mode() function has documentation that     
states that "everybody gets read bit set", which is what causes the
trouble.

When I comment the code that adds these ACEs to the applied set, everything 
works as expected. However, I'm really not sure which things (if any) will
break now.

Attached to this mail is a rough patch that comments the code causing the   
problem. It's tested insofar that basic ACL functionality works as 
expected, but YMMV. I've filed a bug report about this:, nr 5094.

Regards,

roel   


-------------- next part --------------
diff -ruN source.orig/smbd/posix_acls.c source/smbd/posix_acls.c
--- source.orig/smbd/posix_acls.c	2007-11-15 04:15:04.000000000 +0100
+++ source/smbd/posix_acls.c	2007-11-20 16:39:11.000000000 +0100
@@ -3243,6 +3243,9 @@
 	  * Append u/g/w.
 	  */
 
+	/* We do not append these parent permissions, because they always cause
+	 * user, group and world to have read access.
+	 * It might be incorrect or inappropriate to not add these, however.
 	status = append_ugw_ace(fsp, psbuf, unx_mode, S_IRUSR, &new_ace[i++]);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -3255,6 +3258,7 @@
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
+	*/
 
 	/* Finally append any inherited ACEs. */
 	for (j = 0; j < parent_sd->dacl->num_aces; j++) {