samba - Apr 2003 - ACLs and Windows 2000 look alike (inheritance of perm issions)

It might help if you view the default directory ACLs using the getfacl
utility.  These are what will be inherited by stuff created in the lower
directories.

I would ask yourself if you actually need ACLs at all.  The Samba share
permissions are pretty thorough and life is far easier without ACLs as you
can clearly see what permissions are in use and backups are not an issue.
ACLs can quickly become out of control and difficult to manage/backup.  If
you do have a definite requirements for ACLs then I would consider
restricting their use to only those shares which require them.

HTH
Noel



-----Original Message-----
From: Tom Dickson [mailto:tdickson@inostor.com]
Sent: Friday, April 25, 2003 9:46 PM
To: samba mailing list
Subject: RE: [Samba] ACLs and Windows 2000 look alike (inheritance of
permissions)


Now I'm confused. What exactly does the inherit ACLs parameter do? From
simple tests, it seems to work the same with or with out it. Is there some
cases where it would be different? Does it depend on who is making the
directory? What I see is the same result with getfacl with or without this
setting. (Though now it seems to work correctly, but the last time I checked
it it didn't - does it depend on what settings you give the parent?)

ACLs confuse me, so any help is appreciated.

Thank you.

Tom
> Date: Thu, 24 Apr 2003 10:41:39 -0700
> From: "Tom Dickson" <tdickson@inostor.com>
> To: "samba mailing list" <samba@lists.samba.org>
> Subject: [Samba] ACLs and Windows 2000 look alike (inheritance of
permissions)
> Message-ID: <JPECIMBMOFCBKIOOKHIOOEMJCAAA.tdickson@inostor.com>
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 35
>
> I've gotten samba working with ACLs over an XFS filesystem. Everything
works
> pretty well with knowledge of the workarounds (cannot remove group
everyone,
> etc.)
>
> The only major problem I have is that ACLs don't inherit correctly. The
> default in Windows 2000 is to have a sub folder inherit the permissions of
> the folder it is in on creation. By default, the Samba share's folders
don't
> do this. Is there any way to make samba by default copy all the ACLs
when A
> folder is created? It does it if you manually check the "Allow
inheritable
> permissions from parent to propagate to this object" box on the
Security
> page of properties.
>
> If there is no way to do this in Samba (I'm using 2.2.5), can it be
done
> with cacls.exe or some other item?
>
- From the man page for smb.conf (search for inherit with /inherit)

"inherit  acls  (S)  This parameter can be used to ensure that if
default acls exist on parent directories, they are  always  hon-
ored  when  creating a subdirectory.  The default behavior is to
use the mode specified when  creating  the  directory.  Enabling
this  option  sets  the  mode  to  0777,  thus guaranteeing that
default directory acls are propagated.

Default: inherit acls = no"

Note the (S) means this is a per-share option.

Regards,
Buchan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba