Hi, all, I run the latest Samba4 with Windows 7 clients. I have a share that I created in smb.conf like so: [common] path = /home/pmw/installed/samba/common-share csc policy = manual read only = no Within it, I created a file using a regular user. That file has fine-looking security: that user has full permissions, Everyone has read-only permissions. 'getfattr' on that file results in this: user.DosAttrib=0sAQABACAAAAAEAAAAAAAAAAAAAAAAAgAAAAAAAAB0zSuiUMsBAHTNK6JQywE However, another user is able to modify that file -- but not delete it. When that other user tries to delete that file, Samba says: ../ntvfs/posix/pvfs_acl.c:567 denied access to '/home/pmw/installed/samba/common-share/philip-file.txt' - wanted 0x01000000 but got 0x001201ff (missing 0x01000000) ...but no such message appears when the other user changes the file. Right now, it appears that Samba does not respect Windows' ACLs. I'd like only the originating user to have write access to that file. Am I doing something wrong? -- Philip
On Thu, 9 Sep 2010 23:46:29 -0500, "Philip M. White" <pmw at qnan.org> wrote:> Hi, all, > > I run the latest Samba4 with Windows 7 clients. > > I have a share that I created in smb.conf like so: > [common] > path = /home/pmw/installed/samba/common-share > csc policy = manual > read only = no > > Within it, I created a file using a regular user. That file has > fine-looking security: that user has full permissions, Everyone hasfrom your windows client login to your domain as administrator. choose the share go to properties security advanced give the group and users permissions. It should work.> read-only permissions. > > 'getfattr' on that file results in this: >user.DosAttrib=0sAQABACAAAAAEAAAAAAAAAAAAAAAAAgAAAAAAAAB0zSuiUMsBAHTNK6JQywE>> However, another user is able to modify that file -- but not delete it. > When that other user tries to delete that file, Samba says: > ../ntvfs/posix/pvfs_acl.c:567 denied access to > '/home/pmw/installed/samba/common-share/philip-file.txt' - wanted > 0x01000000 but got 0x001201ff (missing 0x01000000) > > ...but no such message appears when the other user changes the file. > > Right now, it appears that Samba does not respect Windows' ACLs. > > I'd like only the originating user to have write access to that file. > Am I doing something wrong? > > -- > Philip
On Fri, Sep 10, 2010 at 01:51:42PM +0200, Daniel M?ller wrote:> from your windows client login to your domain as administrator. > choose the share go to properties security advanced give the group and > users permissions. > It should work.Which permissions do you mean? Right now I have a file on my share that has these permissions according to the Advanced Security Settings window: Allow - Joe Smith - Full Control - <not inherited> Allow - Domain Users - Read & execute - <not inherited> Allow - Everyone - Read & execute - <not inherited> Allow - SYSTEM - Full Control - <not inherited> Joe Smith was the one who created this file. However, I can log in as Jane Doe, who is a Domain User but AFAIK not in the SYSTEM group, and modify that file. As Jane Doe I am not able to delete the file or change its permissions, however. Why is Jane Doe able to modify the file? -- Philip
On Fri, Sep 10, 2010 at 08:01:17AM -0500, Philip M. White wrote:> However, I can log in as Jane Doe, who is a Domain User but AFAIK not in > the SYSTEM group, and modify that file. As Jane Doe I am not able to > delete the file or change its permissions, however. Why is Jane Doe > able to modify the file?Apologies, this is not a Samba problem. I am not experienced with NTFS security, so I got confused in all the inheritance. Now it appears to work as it should. However, one related complaint: the "Effective Permissions" tab within Advanced Security Settings fails to calculate effective permissions no matter what user I try. When I enter any user, I get "Windows cannot calculate the effective permissions for <user>." Is this a Samba problem? -- Philip