Thorsten Leiser
2004-Aug-23 11:54 UTC
[Samba] incorrect behavior: hide unreadable option in conjunction with user ACLs
Hi guys,
we are using samba 3.0.4 as domain member server (security=ADS) in our
Active Directory Domain. In order not to compromise social peace, we use
POSIX ACLs in conjunction with the hide unreadable option to hide
folders/files from users.
I'll show you an example to explain the problem:
I'm the user "SCHARRNET+M006U122" (SCHARRNET=domain suffix).
I'm
connecting to a share (in our example Rechnungswesen) which contains 2
folders: Buchhaltung and Controlling
Here are the ACLs of these two folders:
# file: Controlling
# owner: root
# group: SCHARRNET+Dom?nen-Benutzer
user::rwx
user:SCHARRNET+Administrator:rwx
group::---
group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Controlling:rwx
mask::rwx
other::---
default:user::rwx
default:user:SCHARRNET+Administrator:rwx
default:group::---
default:group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Controlling:rwx
default:mask::rwx
default:other::---
# file: Buchhaltung
# owner: root
# group: SCHARRNET+Dom?nen-Benutzer
user::rwx
user:SCHARRNET+Administrator:rwx
user:SCHARRNET+m006u122:rwx
group::---
group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Buchhaltung:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:SCHARRNET+Administrator:rwx
default:user:SCHARRNET+m006u122:rwx
default:group::---
default:group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Buchhaltung:rwx
default:mask::rwx
default:other::---
Because I'm member of the group "SCHARRNET+Mandant 001
Scharr_Stuttgart_Controlling" i can see the folder Controlling. But i
can't see the folder Buchhaltung although i have an entry in the ACL of
this folder. If i disable hide unreadable, i can see and access the
folder. Only domain member PCs are affected by this problem.
We've designed some workarounds to this problem:
1. Downgrade the domain membership from security=ADS to security=DOMAIN,
then the ACLs work perfectly with the hide unreadable option.
2. Use the ip-address of the samba server instead of the hostname to
connect from a domain member PC to the share
(\\192.168.239.143\Rechnungswesen).
Here some information about our samba server:
OS: SuSE Linux Standard Server 8
(based on SLES8) / Kernel 2.4.21-138
Version samba: 3.0.4 (3.0.6 is affected too, we
tested it)
Filesystem for data storage: XFS
smb.conf:
[global]
unix charset = ISO8859-15
display charset = ISO8859-15
workgroup = SCHARRNET
realm = SCHARRNET.DE
server string security = ADS
password server = maire.scharrnet.de, maitre.scharrnet.de
log level = 2
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
os level = 2
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /data/home/%U
winbind separator = +
[Rechnungswesen]
comment = Abteilungslaufwerk Rechnungswesen auf %L
path = /data/abt/Rechnungswesen
read only = No
create mask = 0660
directory mask = 0770
hide unreadable = Yes
browseable = No
volume = DATA
dos filetimes = Yes
dos filetime resolution = Yes
fake directory create times = Yes
This seems to be a real bug, isn't it?
Regards
Thorsten
--
Thorsten Leiser
IT-Systembetreuung
FRIEDRICH SCHARR KG
Liebknechtstrasse 50
70565 Stuttgart-Vaihingen
Seemingly Similar Threads
- Problem with invisible folders by using posix ACLs & the hide unreadable parameter (Samba-3.0.4/Linux)
- winbind is loosing domain prefix
- Extended attributes not working on mac
- sftp and utmp
- oplock behavior of samba 3.2.6 causes corruption of netscape mailbox files, mails seem to be received doubly or triply
Wisdom of the Ancients
