samba - May 2004 - Problem with invisible folders by using posix ACLs & the hide unreadable parameter (Samba-3.0.4/Linux)

Hi,

we've got a worse problem with our s.3.0.4 file server. The server is 
configured as a domain member server and is running in security=ADS 
mode. We use the hide unreadable parameter in conjunction with posix 
ACLs to ensure, that our users only see those folders, on which they 
have been authorized. With s.2.2.8a everything worked fine. Yesterday we 
migrated to s.3.0.4 and have now the following problem:
When a user connects a share by using either the NetBIOS- or DNS-Name of 
the samba server, the posix acls on the directory(ies) aren't 
interpreted correctly. A user, who normally has necessary rights to 
access the directories doesn't see them. The directory(ies) keep 
invisible. Enabling or disabling NetBIOS on the Win2k/XP-Clients didn't 
help. The only workaround is to connect the share, by using the ip 
address of the samba server instead of the server name. Then the 
appearance of the folders match exactly as they did under s.2.2.8a. As 
far as i could examine (i'm not shure) its seems that only user-acls, 
set on the directories,  get badly interpreted. If a user is member of 
the domain-group, which has positive acls on the directory, he's able to 
see and access the directory. Sorry, but the logs  didn't help to 
isolate the problem.
Our system is a SuSE Linux Standard Server (UnitedLinux 1.0/Kernel 
2.4.21-138) running s.3.0.4 built from the s.3.0.4-6 source rpm provided 
by sernet. The filesystem for the user data is XFS. By now, i attach the 
global-section and the definition of a affected share.

Thank you all for your effort!

[global]
        unix charset = ISO8859-15
        display charset = ISO8859-15
        workgroup = SCHARRNET
        realm = SCHARRNET.DE
        server string         security = ADS
        password server = maire.scharrnet.de, maitre.scharrnet.de
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        os level = 2
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /data/home/%U
        winbind separator = +
        strict locking = No

[Rechnungswesen]
        comment = Abteilungslaufwerk Rechnungswesen auf %L
        path = /data/abt/Rechnungswesen
        valid users = 'SCHARRNET+Mandant 001 
Scharr_Stuttgart_Buchhaltung', 'SCHARRNET+Mandant 001 
Scharr_Stuttgart_Controlling', SCHARRNET+Ad
ministrator
        read only = No
        create mask = 0660
        directory mask = 0770
        hide unreadable = Yes
        browseable = No
        volume = DATA
        dos filetimes = Yes
        dos filetime resolution = Yes
        fake directory create times = Yes

Hi,

today i continued to examine the problem described before.
 >When a user connects a share by using either the NetBIOS- or DNS-Name 
of the samba server, the posix acls on the directory(ies) aren't 
interpreted correctly. A >user, who normally has necessary rights to 
access the directories doesn't see them. The directory(ies) keep invisible.
This error seems to affect only Win2k/XP-Clients which run as 
Domain-Member Computers. Here are the logs i took from smbd (loglevel 
2), when i connected to the share:
[2004/05/26 19:25:43, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.239.43 bcast=192.168.239.255 
nmask=255.255.255.0
[2004/05/26 19:26:37, 1] smbd/service.c:close_cnum(801)
  garcon08 (192.168.239.57) closed connection to service Rechnungswesen
[2004/05/26 19:27:14, 1] smbd/service.c:make_connection_snum(619)
  garcon08 (192.168.239.57) connect to service Rechnungswesen initially 
as user SCHARRNET+m001u083 (uid=10206, gid=10000) (pid 19586)
[2004/05/26 19:27:15, 1] smbd/service.c:make_connection_snum(619)
  garcon08 (192.168.239.57) connect to service Rechnungswesen initially 
as user SCHARRNET+m001u083 (uid=10206, gid=10000) (pid 19586)
[2004/05/26 19:27:15, 1] smbd/service.c:close_cnum(801)
  garcon08 (192.168.239.57) closed connection to service Rechnungswesen
[2004/05/26 19:27:15, 1] smbd/service.c:make_connection_snum(619)
  garcon08 (192.168.239.57) connect to service Rechnungswesen initially 
as user SCHARRNET+m001u083 (uid=10206, gid=10000) (pid 19586)
[2004/05/26 19:27:26, 1] smbd/service.c:close_cnum(801)
  garcon08 (192.168.239.57) closed connection to service Rechnungswesen
[2004/05/26 19:28:08, 1] smbd/service.c:close_cnum(801)
  garcon08 (192.168.239.57) closed connection to service Rechnungswesen

 >The only workaround is to connect the share, by using the ip address 
of the samba server instead of the server name. Then the appearance of 
the folders match >exactly as they did under s.2.2.8a.
These are the logs i took from smbd (loglevel 2):
[2004/05/26 19:28:49, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [m001u083] -> [m001u083] 
-> [SCHARRNET+m001u083] succeeded
[2004/05/26 19:28:49, 1] smbd/service.c:make_connection_snum(619)
  garcon08 (192.168.239.57) connect to service Rechnungswesen initially 
as user SCHARRNET+m001u083 (uid=10206, gid=10000) (pid 26004)
[2004/05/26 19:28:49, 1] smbd/service.c:make_connection_snum(619)
  garcon08 (192.168.239.57) connect to service Rechnungswesen initially 
as user SCHARRNET+m001u083 (uid=10206, gid=10000) (pid 26004)
[2004/05/26 19:28:49, 1] smbd/service.c:make_connection_snum(619)
  garcon08 (192.168.239.57) connect to service Rechnungswesen initially 
as user SCHARRNET+m001u083 (uid=10206, gid=10000) (pid 26004)
[2004/05/26 19:28:49, 1] smbd/service.c:close_cnum(801)
  garcon08 (192.168.239.57) closed connection to service Rechnungswesen
[2004/05/26 19:29:00, 1] smbd/service.c:close_cnum(801)
  garcon08 (192.168.239.57) closed connection to service Rechnungswesen

I get the same logs, if a "none" Domain-Member Computer connects to
this
share, by using the hostname of the samba server. In both cases 
everything works fine.
If someone has an idea, what the cause of the problem is, i would be 
overhappy.

Regards

Thorsten