samba - Jul 2004 - ACL propegation problem - any known issues?

We use POSIX ACLs (under ext2fs) with a fairly complicated set of
permissions.  Each folder has default permissions that should cause anything
created under it to also have the correct permissions.

What I'm seeing is occasionally a folder will be created and its default
permissions are not set.  When files are created under this folder, they of
course have the wrong permissions because there are no defaults to inherit.
It doesn't happen every time, and I've had trouble trying to reproduce
it
myself, but I see the results pretty frequently.  I'm not entirely sure if
it happens when the folder is created, or if the permissions are dropped
later when it's modified.

This has been cropping up from time to time ever since we switched from
Samba 2.2.8a to Samba 3.0.2-debian, and I'm wondering if it's a known
bug.
I'm getting tired of having to patch up permissions by hand.  I've set
"inherit acls=yes", but it doesn't seem to have completely solved
the
problem.

---

David Brodbeck, System Administrator
InterClean Equipment, Inc.
3939 Bestech Drive Suite B
Ypsilanti, MI 48197
(734) 975-2967 x221
(734) 975-1646 (fax)

On Fri, Jul 30, 2004 at 12:04:16PM -0400, David Brodbeck
wrote:
> We use POSIX ACLs (under ext2fs) with a fairly complicated set of
> permissions.  Each folder has default permissions that should cause
anything
> created under it to also have the correct permissions.
> 
> What I'm seeing is occasionally a folder will be created and its
default
> permissions are not set.  When files are created under this folder, they of
> course have the wrong permissions because there are no defaults to inherit.
> It doesn't happen every time, and I've had trouble trying to
reproduce it
> myself, but I see the results pretty frequently.  I'm not entirely sure
if
> it happens when the folder is created, or if the permissions are dropped
> later when it's modified.
> 
> This has been cropping up from time to time ever since we switched from
> Samba 2.2.8a to Samba 3.0.2-debian, and I'm wondering if it's a
known bug.
> I'm getting tired of having to patch up permissions by hand.  I've
set
> "inherit acls=yes", but it doesn't seem to have completely
solved the
> problem.
Can you reproduce this ? I'd like to see a reproducible case for it
in order to be able to work on it.

Jeremy.

> -----Original Message-----
> From: Jeremy Allison [mailto:jra@samba.org]
> Can you reproduce this ? I'd like to see a reproducible case for it
> in order to be able to work on it.
Unfortunately I haven't been able to reproduce it intentionally yet. :(  It
keeps happening at random intervals but I haven't figured out why.  It seems
to only affect a few individuals.

If I figure out a way to reproduce it, I'll let you know.  This was kind of
an initial fishing expedition to see if anyone else was seeing the same kind
of problem.  Apparently I'm the only one seeing it.  I may try either
upgrading to a newer Samba or going back to 2.2.8a to see if that resolves
it; I'm getting tired of fixing up a random set of permissions by hand every
morning.

I'm still being frustrated on this one.  I can't seem to come up with a
way
to reproduce it.  But I've got some more details, now.  The default ACL
appears to be being created properly at first, then removed later.

For example, I have this folder:

# file: WasteManagement
# owner: INTERCLEAN+Susan
# group: INTERCLEAN+CAD Users
user::rwx
user:mirror:r-x
user:INTERCLEAN+Michael:r-x
group::---
group:INTERCLEAN+CAD\040Users:rwx
group:INTERCLEAN+Domain\040Admins:rwx
group:INTERCLEAN+Engineering:r-x
group:INTERCLEAN+Project:rwx
group:INTERCLEAN+Purchasing:rwx
group:INTERCLEAN+Sales:r-x
mask::rwx
other::---
default:user::rwx
default:user:mirror:r-x
default:user:INTERCLEAN+Michael:r-x
default:group::---
default:group:INTERCLEAN+CAD\040Users:rwx
default:group:INTERCLEAN+Domain\040Admins:rwx
default:group:INTERCLEAN+Engineering:r-x
default:group:INTERCLEAN+Project:rwx
default:group:INTERCLEAN+Purchasing:rwx
default:group:INTERCLEAN+Sales:r-x
default:mask::rwx
default:other::---

And this folder under it.  Notice how the default ACL is missing:

# file: Riser diagrams
# owner: INTERCLEAN+Kenneth
# group: INTERCLEAN+CAD Users
user::rwx
user:mirror:r-x
user:INTERCLEAN+Michael:r-x
group::---
group:INTERCLEAN+CAD\040Users:rwx
group:INTERCLEAN+Domain\040Admins:rwx
group:INTERCLEAN+Engineering:r-x
group:INTERCLEAN+Project:rwx
group:INTERCLEAN+Purchasing:rwx
group:INTERCLEAN+Sales:r-x
mask::rwx
other::---

Now, here's the interesting part.  Some of the files in that folder were
created August 4, and some were created August 9.  The ones created August 4
have the proper ACL, which means the default ACL *had to exist* at that
point.  The ones created August 9 have only the POSIX ACLs.

The other interesting thing is that between August 4 and August 9, Kenneth
switched workstations.  Both workstations were running Windows NT 4.0 SP6; I
don't know if they both had the same hotfixes installed, though, and the old
one has since been reformatted.

Relevent details:
Kernel 2.4.25, libacl1 version 2.2.23-1 (Debian), acl version 2.0.8-1
(Debian), Samba 3.0.2-2 (Debian).  "inherit_acls" is set to yes.