samba - May 2011 - nt acl inheritance

Hello List,

I've observed the following missbehaivoure, while playing around with nc 
acl's. (see relevant configuration below):

Working with Windows XP:

Open acl enabled share
Set default share permissions by right click on the explorer's top left 
clip control -> properties.
Under security I remove the CREATOR-OWNER and CREATORUSER Group, as I 
already know, that these two default groups cause trouble while saving 
acl's and result in a Windows Error Message "Invalid Parameter".
Also I
set some default security settings for users and groups accordingly to 
my needs and I apply it to This Folder, and any sub folder or file.

After applying to all new settings, I create a folder.
As expected my default share security settings have been inherited to 
the new folder.
I add an additional user to the acl and take care, that the inheritance 
is also "Folder, sub folder and file".

I create a new sub folder to this one and check the acl.
Here is the unwanted behavior: The new sub folder got user permissions 
from it's parent folder, but unlike the default share permissions which 
have been inherited, the additional user's permissions have not been 
inherited but have been copied. When I set the option "Inherit 
permissions to sub elements as far as applicable", and apply, then a new 
acl entry is created with the same user but this time inherited. Now I 
can delete the copied settings, and apply to everything.

I hope, these explanations where clear enough.

Here now the configuration:

Version: 3.5.8~dfsg-1ubuntu2.1
smb.conf:
[acl]
         comment = ACL Labor
         path = /home/acllabor
         vfs objects = acl_xattr
         read only = no
         browsable = yes
         valid users = me,you
         acl map full control = false
         inherit acls = yes
         map acl inherit = yes
         map read only = Permissions
         map archive = no
         map hidden = no
         map system = no
         nt acl support = yes
         acl group control = true
         dos filemode = yes
         enable privileges = yes
         store dos attributes = yes

mount options:
/dev/mapper/system-user on /home type ext4 
(rw,errors=remount-ro,acl,user_xattr,)


any help appreciated!

Felix

From: Felix Joussein <felix.joussein at gmx.at>
Date: Mon, 16 May 2011 13:42:44 +0200
> I've observed the following missbehaivoure, while playing around with
nc
> acl's. (see relevant configuration below):
> 
> Working with Windows XP:
> 
> Open acl enabled share
> Set default share permissions by right click on the explorer's top left
> clip control -> properties.
> Under security I remove the CREATOR-OWNER and CREATORUSER Group, as I 
> already know, that these two default groups cause trouble while saving 
> acl's and result in a Windows Error Message "Invalid
Parameter". Also I
> set some default security settings for users and groups accordingly to 
> my needs and I apply it to This Folder, and any sub folder or file.
> 
> After applying to all new settings, I create a folder.
> As expected my default share security settings have been inherited to 
> the new folder.
> I add an additional user to the acl and take care, that the inheritance 
> is also "Folder, sub folder and file".
> 
> I create a new sub folder to this one and check the acl.
> Here is the unwanted behavior: The new sub folder got user permissions 
> from it's parent folder, but unlike the default share permissions which
> have been inherited, the additional user's permissions have not been 
> inherited but have been copied. When I set the option "Inherit 
> permissions to sub elements as far as applicable", and apply, then a
new
> acl entry is created with the same user but this time inherited. Now I 
> can delete the copied settings, and apply to everything.
> 
> I hope, these explanations where clear enough.
> 
> Here now the configuration:
> 
> Version: 3.5.8~dfsg-1ubuntu2.1
> smb.conf:
> [acl]
>          comment = ACL Labor
>          path = /home/acllabor
>          vfs objects = acl_xattr
>          read only = no
>          browsable = yes
>          valid users = me,you
>          acl map full control = false
>          inherit acls = yes
>          map acl inherit = yes
>          map read only = Permissions
>          map archive = no
>          map hidden = no
>          map system = no
>          nt acl support = yes
>          acl group control = true
>          dos filemode = yes
>          enable privileges = yes
>          store dos attributes = yes
> 
> mount options:
> /dev/mapper/system-user on /home type ext4 
> (rw,errors=remount-ro,acl,user_xattr,)
AFAIK, "map acl inherit = yes" does not work well:
  https://bugzilla.samba.org/show_bug.cgi?id=6841

Also acl_xattr will not work as you expected, because even if you
enable acl_xattr, POSIX ACL semantics is still used in actual access
control and inheriting ACLs. 

P.S.

"map read only" parameter is always ignored when "store dos
attributes
= yes".

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>