Oliver Schade
2004-Feb-18 11:03 UTC
[Samba] [3.0.2] Trouble using ACLs: wrong file permissions after write/cr eate
Hi everybody,
I have a problem with Samba 3.0.2 using POSIX ACLs for shares.
File written from an ACL group/user will get wrong permissions
and are unchangeable for other users.
First the important informations about the configuration and
the setup:
a) Base system: Debian 3.0.1 with all updates
b) Samba: Self compiled binary within /opt/samba-3.0.2
used the following flags:
server:/usr/local/src/samba-3.0.2# ./configure \
--enable-cups --with-ldap --with-automount \
--with-smbmount --with-pam --with-syslog \
--with-sys-quotas --with-acl-support \
--prefix=/opt/samba-3.0.2
The resulting smbd binary reports using -b: :
--with Options:
WITH_AUTOMOUNT
WITH_PAM
WITH_QUOTAS
WITH_SENDFILE
WITH_SMBMOUNT
WITH_SYSLOG
WITH_UTMP
WITH_WINBIND
and
server:/opt/samba-3.0.2/sbin# ./smbd -b | grep ACL
HAVE_SYS_ACL_H
HAVE_POSIX_ACLS
c) Configuration-file: /opt/samba-3.0.2/lib/smb.conf
[global]
workgroup = MYCOMPANY
interfaces = eth0
os level = 65
preferred master = No
domain master = No
security = user
encrypt passwords = Yes
loglevel = 1
nt acl support = Yes
veto files = lost+found/
wins server = 192.168.100.1
unix charset = ISO8859-15
display charset = utf8
unicode = Yes
printing = cups
printcap name = /etc/printcap.cups
dos charset = 850
oplocks = False
level2 oplocks = False
kernel oplocks = False
inherit permissions = Yes
getwd cache = Yes
show add printer wizard = No
[Customers]
comment = All customer files
path = /mnt/mycompany/Customers
read only = No
create mask = 660
directory mask = 770
force create mode = 660
force directory mode = 770
Note: there is a WINS server in a different subnet,
therefore this server is not the master server.
Oplocks are deactivated because we have had some
trouble with our VPN-connection.
Users are authenticated locally against a smbpasswd-
file which shall be migrated to an LDAP-directory
later.
d) /mnt/mycompany/Customers has been configured as LVM
partition and mounted with ACL support:
server:~/ mount | grep Customers
/dev/RAID5/Kunden on /mnt/mycompany/Customers type \
ext3 (rw,acl,user_xattr)
e) /mnt/mycompany/Customers has the following user/group-
structure:
server:/mnt/mycompany # ls -la Customers
drwxrws--- 14 tprinz bln-all 4096 Feb 12 13:50 .
All local users are member of the group bln-all.
Sticky-group bit is set, so new files are automatically
also set to bln-all. Owner and group may write and read
and enter directories.
There are an additional group for some remote-users
coming from on other office over a VPN-connection.
The group is called han-eink, access-rights are configured
using POSIX ACLs:
server:/mnt/mycompany/Customers# getfacl .
# file: .
# owner: tprinz
# group: bln-all
user::rwx
group::rwx
group:han-eink:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:han-eink:rwx
default:mask::rwx
default:other::---
So the group han-eink should also write and read all files
and enter directories.
Now the problem: whenever someone from the ACL-group han-eink
creates a file within the Customers-share, the permissions
are wrong: instead of
-rw-rw---- (as configured with create mask in smb.conf)
the files get
-r--rwx---
These files may be opened only readable for my local users, but
they cannot write to them. After manually chmod-ing the rights,
everything works fine. As Excel and Word always create new files,
I have really a problem.
This error (or mis-configuration :-) is reproduceable in Samba
3.0.1 and 3.0.2. And I am somewhat stuck - I do not see my (or
Samba's) error.
Any hints are really welcome.
Thanks, Oliver
--
pro|business Berlin AG oschade@probusiness.de
Potsdamer Platz 11 http://www.probusiness.de/
10785 Berlin Tel: +49 030 259 378-0
Germany Fax: +49 030 259 378-22
Possibly Parallel Threads
Wisdom of the Ancients
