samba - Nov 2002 - ACLs with samba

Hi-
I am experiencing some odd behavior with ACLs with winbindd using Samba 2.6
on Debian Woody (kernel version 2.4.18).
1.  I am unable to alter permissions from Win2K clients using the
Properties->Security interface.  Is this normal?  I get the "Unable to
save
Permission Changes on new Folder.  Access is denied."  message.  This
occurs
with all accounts, both privileged and unprivileged.


2.  Permissions set using
setfacl -m u:DOMAIN\USER:rwx
alter the permissions just fine, but do not show up in the
Properties->Security interface.
If I run
chmod DOMAIN\USER.DOMAIN\USER
it shows up.

The permissions show up correctly if a file or directory is created on the
share from a Win client, but cannot be modified once created, and the ACL
info is not seen.

Is this behavior normal, or am I doing something wrong?

Here is the relevant section of smb.conf:
[SHARE]
   comment = Blah blah
   path = /usr/tmp/share
  valid users = @DOMAIN\Group1 @DOMAIN\Group2
   public = no
   writable = yes
   printable = no
   create mask = 0770
   directory mode = 0770
   force create mode = 0770
   force directory mode = 0770

Here is the output from
getfacl /usr/tmp/share
getfacl: Removing leading '/' from absolute path names
# file: usr/tmp/BUR
# owner: mpgmover
# group: mpgmover
user::rwx
group::rwx
group:DOMAIN\Group1:rwx
group:DOMAIN\Group2:rwx
mask::rwx
other::---

Any input would be appreciated.
Thanks
Tom Hallewell
Radio Free Asia
Washington DC

On Thu, 21 Nov 2002 16:07:08 -0500
"Tom Hallewell" <hallewellt@rfa.org> wrote:
> 1.  I am unable to alter permissions from Win2K clients using the
> Properties->Security interface.  Is this normal?  I get the "Unable
to
> save Permission Changes on new Folder.  Access is denied."  message. 
> This occurs with all accounts, both privileged and unprivileged.
Are you sure you compiled Samba with ACL support?
`ldd /path-to-your/smbd` should show "libacl.so.1" in it's list.

Even when giving the option "--with-acl" it's possible it
didn't compile
with ACL support due to the perhaps not installed dev-package
"acl-dev"
(which is available as DEB-package).

So long,
Max

-- 
The first time any man's freedom is trodden on, we're all damaged.
                       <Cpt. Picard, "The Drumhead", StarTrek
TNG>

http://homex.subnet.at/~max/

Hi,

What filesystem are you using? Like ReiserFS doesn't support ACL's but 
ext3 and XFS does.
And is your PDC a win??? or is it a samba PDC?

I have a win2k PDC and samba fileserver and I use Winbind to 
authenticate. I can change
the permissions for files and folders in the PDC or on my desktop. I 
didn't use any force
create modes.

Mikko Rautiainen

Tom Hallewell wrote:
>Hi-
>I am experiencing some odd behavior with ACLs with winbindd using Samba 2.6
>on Debian Woody (kernel version 2.4.18).
>1.  I am unable to alter permissions from Win2K clients using the
>Properties->Security interface.  Is this normal?  I get the "Unable
to save
>Permission Changes on new Folder.  Access is denied."  message.  This
occurs
>with all accounts, both privileged and unprivileged.
>
>
>2.  Permissions set using
>setfacl -m u:DOMAIN\USER:rwx
>alter the permissions just fine, but do not show up in the
>Properties->Security interface.
>If I run
>chmod DOMAIN\USER.DOMAIN\USER
>it shows up.
>
>The permissions show up correctly if a file or directory is created on the
>share from a Win client, but cannot be modified once created, and the ACL
>info is not seen.
>
>Is this behavior normal, or am I doing something wrong?
>
>Here is the relevant section of smb.conf:
>[SHARE]
>   comment = Blah blah
>   path = /usr/tmp/share
>  valid users = @DOMAIN\Group1 @DOMAIN\Group2
>   public = no
>   writable = yes
>   printable = no
>   create mask = 0770
>   directory mode = 0770
>   force create mode = 0770
>   force directory mode = 0770
>
>Here is the output from
>getfacl /usr/tmp/share
>getfacl: Removing leading '/' from absolute path names
># file: usr/tmp/BUR
># owner: mpgmover
># group: mpgmover
>user::rwx
>group::rwx
>group:DOMAIN\Group1:rwx
>group:DOMAIN\Group2:rwx
>mask::rwx
>other::---
>
>Any input would be appreciated.
>Thanks
>Tom Hallewell
>Radio Free Asia
>Washington DC
>
>
>

Only the owner of a file/directory can alter the permissions through the
Windoze client.  If you want to be able to change everyone's ACLs then
create a special admin share with 'force user = root' and this will
ensure
that, as root, you can do anything to anything (dangerous so make sure you
don't let anyone else near the share!).

Noel

-----Original Message-----
From: Mikko Rautiainen [mailto:mrautia6@welho.com]
Sent: 22 November 2002 08:58
To: hallewellt@rfa.org
Cc: Samba ML
Subject: Re: [Samba] ACLs with samba


Hi,

What filesystem are you using? Like ReiserFS doesn't support ACL's but 
ext3 and XFS does.
And is your PDC a win??? or is it a samba PDC?

I have a win2k PDC and samba fileserver and I use Winbind to 
authenticate. I can change
the permissions for files and folders in the PDC or on my desktop. I 
didn't use any force
create modes.

Mikko Rautiainen

Tom Hallewell wrote:
>Hi-
>I am experiencing some odd behavior with ACLs with winbindd using Samba 2.6
>on Debian Woody (kernel version 2.4.18).
>1.  I am unable to alter permissions from Win2K clients using the
>Properties->Security interface.  Is this normal?  I get the "Unable
to save
>Permission Changes on new Folder.  Access is denied."  message.  This
occurs
>with all accounts, both privileged and unprivileged.
>
>
>2.  Permissions set using
>setfacl -m u:DOMAIN\USER:rwx
>alter the permissions just fine, but do not show up in the
>Properties->Security interface.
>If I run
>chmod DOMAIN\USER.DOMAIN\USER
>it shows up.
>
>The permissions show up correctly if a file or directory is created on the
>share from a Win client, but cannot be modified once created, and the ACL
>info is not seen.
>
>Is this behavior normal, or am I doing something wrong?
>
>Here is the relevant section of smb.conf:
>[SHARE]
>   comment = Blah blah
>   path = /usr/tmp/share
>  valid users = @DOMAIN\Group1 @DOMAIN\Group2
>   public = no
>   writable = yes
>   printable = no
>   create mask = 0770
>   directory mode = 0770
>   force create mode = 0770
>   force directory mode = 0770
>
>Here is the output from
>getfacl /usr/tmp/share
>getfacl: Removing leading '/' from absolute path names
># file: usr/tmp/BUR
># owner: mpgmover
># group: mpgmover
>user::rwx
>group::rwx
>group:DOMAIN\Group1:rwx
>group:DOMAIN\Group2:rwx
>mask::rwx
>other::---
>
>Any input would be appreciated.
>Thanks
>Tom Hallewell
>Radio Free Asia
>Washington DC
>
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002

You were right on the --with-acl not being compiled.
The problem now is that once we got acl-dev installed, samba won't compile
at all.  Is there anyone out there using ACLs under Debian Woody and if so,
would you please tell us what versions of the various ACL/ATTR/fileutils
packages you are using?
We have tried with the woody versions of attr/acl (2.0.8) and also rolling
our own packages from the latest greatest at bestbits.
When trying to compile using the woody versions, configure would not detect
the acl binaries, when compiling from the latest bestbits, we got a bunch of
ugly stuff like this:

include/vfs.h:111: parse error before "acl_t"
include/vfs.h:112: parse error before "acl_entry_t"
include/vfs.h:113: parse error before "acl_entry_t"
include/vfs.h:114: parse error before "acl_entry_t"
include/vfs.h:115: warning: no semicolon at end of struct or union
include/vfs.h:116: parse error before '*' token

Any input would be greatly appreciated-we have tried both samba 2.2.6 and
2.2.7 and are running out of ideas...
Tom

>
>
> On Thu, 21 Nov 2002 16:07:08 -0500
> "Tom Hallewell" <hallewellt@rfa.org> wrote:
>
> > 1.  I am unable to alter permissions from Win2K clients using the
> > Properties->Security interface.  Is this normal?  I get the
"Unable to
> > save Permission Changes on new Folder.  Access is denied." 
message.
> > This occurs with all accounts, both privileged and unprivileged.
>
> Are you sure you compiled Samba with ACL support?
> `ldd /path-to-your/smbd` should show "libacl.so.1" in it's
list.
>
> Even when giving the option "--with-acl" it's possible it
didn't compile
> with ACL support due to the perhaps not installed dev-package
"acl-dev"
> (which is available as DEB-package).
>
> So long,
> Max
>
> --
> The first time any man's freedom is trodden on, we're all damaged.
>                        <Cpt. Picard, "The Drumhead", StarTrek
TNG>
>
> http://homex.subnet.at/~max/
>