samba - Apr 2005 - ACL and delete files

Hi,

I have samba-3.0.13 on linux machine compiled with these parameters:

--prefix=/usr/local/samba-3.0.13
--enable-cups
--with-ldap
--with-ldapsam
--with-acl-support
--with-quotas

In smb.conf I defined share :

[POBOX]
     comment = !
     path = /data/disk1/pobox
     guest ok = no
     writable = yes
     directory mask = 0777
     force directory mode = 0000
     directory security mask =  0000
     force directory security mode = 0000
     inherit acls = yes



There is directory Drawings in /data/disk1/pobox.
root@natasha:/data/disk1/pobox# ls -pla
total 20
drwxrwxr-x+ 3 root            root   4096 2005-04-05 13:45 ./
drwxr-xr-x  6 root            root   4096 2005-04-01 11:08 ../
drwxrwxr-x+ 2 sona	      S44010 4096 2005-04-05 13:44 Drawings/

Permission on this directory are defined with acl:
root@natasha:/data/disk1/pobox# getfacl Drawings/
# file: Drawings
# owner: sona
# group: S44010
user::rwx
user:ivan:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ivan:rwx
default:group::r-x
default:mask::rwx
default:other::r-x


Problem:

User ivan connected to this folder from Win XP(SP2) machine.
He can create new file, but he can't delete or rename it.
Win generate err message:

----------------------------------------------------------|
|"Cannot delete New Text Document: Access is denied."     |
|                                                         |
| Make sure the disk is not full or write protected       |
|   and that the file is not currently in use.            |
-----------------------------------------------------------


When I change:
	ownership directory to ivan
or
	group to ivan's group
or
	set permission for other rwx
user ivan can delete (rename) file OK.

It seems that ACL permisions aren't used when samba want to delete or 
rename file. (Directories works OK).

In samba-3.0.10 it's work fine.

Is it a bug or do I any mistake?

Ivan

tir, 05.04.2005 kl. 14.22 skrev Ivan Novosad:
> I have samba-3.0.13 on linux machine compiled with these parameters:
> 
> --prefix=/usr/local/samba-3.0.13
> --enable-cups
> --with-ldap
> --with-ldapsam
> --with-acl-support
> --with-quotas
> 
> In smb.conf I defined share :
> 
> [POBOX]
>      comment = !
>      path = /data/disk1/pobox
>      guest ok = no
>      writable = yes
>      directory mask = 0777
>      force directory mode = 0000
>      directory security mask =  0000
Take this line out, restart/reload smbd. The others are only defaults,
anyway. Check 'man smb.conf' or SWAT's help to see why.

I've found out it's a good thing to start with defaults (i.e. no
parameter set in smb.conf) and then play around with parameters once
things are all working.
>      force directory security mode = 0000
>      inherit acls = yes
[...]

--Tonni

-- 
Nothing sucksseeds like a pigeon without a beak ...

mail: tonye@billy.demon.nl
http://www.billy.demon.nl
 
They love us, don't they, They feed us, won't they ...

Skipped content of type multipart/mixed-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20050415/5820dbee/attachment.bin

This sounds like the problem I was having as touched upon in my
thread:

Samba 3.0.13 and deleting files

	I sent JRA a set of log level 10 logs (all 10 MB worth for a
short test, so they wouldn't go through to this list).  Mind you he's a
busy guy and may not have even gotten to them yet.  I'm fairly certain
this bug existed in the original 3.0.14 release as well, but I only
tested it briefly and have no "testbed" box to toss it on.  I was
going
to wait for 3.0.15 or something from Jeremy that said "do this".
	I'll admit that's probably something I neglected to mention in
my original posts - that group permissions say write but the user of the
dir is different from the user creating the files.
> -----Original Message-----
> From: samba-bounces+eric=lib.usf.edu@lists.samba.org 
> [mailto:samba-bounces+eric=lib.usf.edu@lists.samba.org] On 
> Behalf Of Peter Kruse
> Sent: Friday, April 15, 2005 6:15 AM
> To: Jacob Nielsen
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] ACL and delete files
> 
> Hello,
> 
> Jacob Nielsen wrote:
> > Hello list
> > 
> > I have the same problem with my Samba-3.0.13. This problem 
> started after
> > upgrading from 3.0.11.
> > 
> > I have a rather huge fileserver with 300.000+ files, so 
> this is kindda a
> > big issue for me.
> > 
> > Problem is when rename/deleting files, which is basicly not 
> possible.
> > Copying a new file to the same directory is not a problem. Not
> > changeable thou. If you open the file in an editor and save 
> it, it's not
> > a problem either. Very strange.
> 
> Thanks for sharing this.  I can confirm that this problem exists in
> 3.0.13.  There has been a bug report #2521 which was closed although
> there was still one report saying the bug still was there.
> I have several reports of this same behaviour: creating of files work
> but modify/delete doesn't.  Is it true the the directory in question
> does not give write permission to the user account but only the
> group the user belongs to?
> 
> Regards,
> 
> 	Peter
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
>

Hello,

Here's a way to force the error.  Please try it.
To summarize:  Create a file with permission bits set to 470, owned by 
root.  With setfacl give write permission to a group.  Users in that
group will not be able to modify the file when accessing the share
from a windows client.  This is true for smbclient as well.
Modifying the file under Linux works as expected.

Please confirm if you observe the same behaviour.

$ ls -l testi2.txt
-r--rwx---+ 1 root QLEAP+dom??nen-benutzer 14 Apr 15 16:40 testi2.txt
(Note the file belongs to root but has no write permission)
$ getfacl testi2.txt
# file: testi2.txt
# owner: root
# group: QLEAP+dom\303\244nen-benutzer
user::r--
user:QLEAP+testi2:rwx
group::r--
group:QLEAP+testgruppe20:rwx
mask::rwx
other::---
$ id
uid=10032(QLEAP+testi2) gid=10029(QLEAP+dom??nen-benutzer) 
...,10067(QLEAP+testgruppe20),...
$ vi testi2.txt
(can edit the file)
$ smbcacls  -U testi2 //hatest1/admin testgruppe20/testi2.txt
creating lame upcase table
creating lame lowcase table
Password:
REVISION:1
OWNER:HATEST1+root
GROUP:QLEAP+Dom??nen-Benutzer
ACL:HATEST1+root:ALLOWED/0/R
ACL:QLEAP+testgruppe20:ALLOWED/0/FULL
ACL:QLEAP+Dom??nen-Benutzer:ALLOWED/0/R
ACL:QLEAP+testi2:ALLOWED/0/FULL
ACL:+Jeder:ALLOWED/0/
$ smbclient  -U testi2 //hatest1/admin
creating lame upcase table
creating lame lowcase table
Password:
Domain=[QLEAP] OS=[Unix] Server=[Samba 3.0.13-Debian]
smb: \> cd testgruppe20
smb: \testgruppe20\> lcd /etc
smb: \testgruppe20\> put passwd
putting file passwd as \testgruppe20\passwd (1122.9 kb/s) (average 
1123.0 kb/s)
smb: \testgruppe20\> put passwd testi2.txt
NT_STATUS_ACCESS_DENIED opening remote file \testgruppe20\testi2.txt
smb: \testgruppe20\> q
$

With this information I hope it is possible to find the bug.

Thanks,

	Peter