samba - Jan 2011 - ACLs under windows 7 - you do not have permissions to access

Hi Everyone,

I have a really huge trouble with the Acls under windows 7. I use
filesystem's acls under samba and it works correctly under windows xp, but
it does not in w7.
I am not sure if it is a kind of bug, the case is last week I upgraded my samba
3.0 to 3.5 and my acls under w7 worked fine. Now the problem I have is if a
directory is set for example with the grup 'company' and an user has
this group as a primary group, windows 7 launches a notify saying: "Windows
cannot access  ... you do not have permissions to access",  however, the
weird case, if this user has the group 'company' as a secondary group
he/she is able to get in ..

I will appreciate strongly any help or advice

Some details:


smb.conf
======
[shared]
    path = /samba/shared
    read only = no
    force create mode = 0770
    force directory mode = 0770
    force group = root
    locking = no
    oplocks = no
    veto oplock files = /*.txt/
    net acl support = yes


ACLS
===
 getfacl Google-analytics/
# file: Google-analytics
# owner: root
# group: root
user::rwx
group::---
group:company:r-x
group:sem:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:sem:rwx
default:mask::rwx
default:other::---

 pdbedit -u mu_jangelltroa
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=COMPANY))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: jangelltroa
init_group_from_ldap: Entry found for group: 1004
init_group_from_ldap: Entry found for group: 1004
init_group_from_ldap: Entry found for group: 513
jangelltroa:1030: john angelltroa


LDAP INFO:  -GROUP -

cn: company
gid: 1004
sambaGroupMapping
sambaGroupType : 2
sambaSID: S-1-2-0      ******* I'm not sure what SID I have to put here I
tried as well with a SAMBA SID  S-1-5- 21-domain-1004 and I got the same problem



One more question: Is there any problem if that group has the same name of my
workgroup?
I repeat I only have this problem with windows 7, with windows XP it works great
instead.


acls log:
====
[2011/01/27 16:16:53.079114, 10] smbd/posix_acls.c:2605(canonicalise_acl)
  canonicalise_acl: Default ace entries before arrange :
[2011/01/27 16:16:53.079128, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags =
0x0 perms ---
[2011/01/27 16:16:53.079144, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-2-0 gid 1004 (COMPANY) SMB_ACL_GROUP
ace_flags = 0x0 perms rwx                            <= HERE APPEARS
[2011/01/27 16:16:53.079164, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 2. Type = allow SID = S-1-3-1 gid 0 (root) SMB_ACL_GROUP_OBJ
ace_flags = 0x0 perms ---
[2011/01/27 16:16:53.079182, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 3. Type = allow SID = S-1-22-1-603 uid 603 (hudson)
SMB_ACL_USER ace_flags = 0x0 perms rwx
[2011/01/27 16:16:53.079201, 10] smbd/posix_acls.c:2618(canonicalise_acl)
  canon_ace index 4. Type = allow SID = S-1-3-0 uid 0 (root) SMB_ACL_USER_OBJ
ace_flags = 0x0 perms rwx
[2011/01/27 16:16:53.079220, 10] smbd/posix_acls.c:841(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = S-1-3-0 uid 0 (root) SMB_ACL_USER_OBJ
ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-3-1 gid 0 (root) SMB_ACL_GROUP_OBJ
ace_flags = 0x0 perms ---
  canon_ace index 2. Type = allow SID = S-1-2-0 gid 1004 (COMPANY) SMB_ACL_GROUP
ace_flags = 0x0 perms rwx                             <= HERE APPEARS
  canon_ace index 3. Type = allow SID = S-1-22-1-603 uid 603 (hudson)
SMB_ACL_USER ace_flags = 0x0 perms rwx
  canon_ace index 4. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags =
0x0 perms ---
[2011/01/27 16:16:53.079279, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2011/01/27 16:16:53.079293, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2011/01/27 16:16:53.079307, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079320, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079333, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079354, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2011/01/27 16:16:53.079368, 10] smbd/posix_acls.c:1117(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff


Thank you so much for your patience. ! :)

Hi all again,

Finally I found the source of my problem, it was I set  "force group =
root" parameter on my shares, It was really useful for me since whether an
user created a file it forced the group root as a primary root and then as I had
the default acls (for secondary group)  for example:

#ll
drwxrwx---+ 2 user root 6 Feb  1 11:04 test_file

default:group:tech:r-x

thus only the members of this secondary group (tech) were able to interact with
that file due to the default acl I had on this directory.
Currently the problem that I have is all the users are in the same group
'company' then as I can't force the group as root the default group
will be 'company', which implies everybody will have access to this
file.

drwxrwx---+ 2 user company 6 Feb  1 11:14 test_file2


Any suggestion? Thanks again for your support !