grantb @ WebDS
2005-Apr-18 23:04 UTC
[Samba] Folder Redirection broken if access is from ACL only
I have an issue with W2K/XP using Folder Redirection to a Samba homes share (or any share for that matter). This is only a problem when access for a user is via an ACE (ACL) and not the traditional file system permissions. So for example (user is cath in this example): [root@gandalf users]# ll -d cath drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath [root@gandalf users]# getfacl cath # file: cath # owner: root # group: root user::rwx user:cath:rwx group::--- mask::rwx other::--- default:user::rwx default:user:cath:rwx default:group::--- default:mask::rwx default:other::--- I have also tried this using the "profile acls = yes" option, but with no success (works fine for roaming profiles tho, as it was designed to do). It seems that Windows may be trying to set ACLs on index.dat which fails when access is via ACLs only. Here's an indication of this from the smbd log: [2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) set_canon_ace_list: sys_acl_set_file failed for file k-drive/History/History.IE5/MSHist012005041220050413/index.dat (Operation not permitted). [2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270) DBR05A+cath closed file k-drive/History/History.IE5/MSHist012005041220050413/i ndex.dat (numopen=3) Any help would be appreciated. I expect that this may be an Samba issue that might need to be looked at by the samba-technical gods. Jeremy did ask for additional diagnostic detail, which I sent. However he's probably been side tracked by something more important. Cheers, Grant
grantb @ WebDS
2005-Apr-20 03:23 UTC
[Samba] Re: Folder Redirection broken if access is from ACL only
Some additional info on this that might help: The problem is on Linux (various distribs (SLES8 and FC2) 2.4 and 2.6 Kernels), and Samba-3.0.11 on ext3 file systems mounted with user_xattr,acl options. This is not an ACL problem as such. Access to shares and the data within is fine using ACLs. This is a particular problem only with folder redirection onto a Samba share, where that access is controlled (either at the root of the share or on any subdirectory in which you store redirected folders) via ACLs only. I've tested this using the "profile acls = yes" option also, as I suspected windows may have being attempting similar access checks that made this necessary for roaming profiles on Samba shares, but the problem was still present. It's easy to re-create. 1. Setup a test share 2. Setup permissions of the share directory: chown -R test_user test_dir; 3. Setup your Windows image to redirect folders to your test share (I wont go into details on how to do this on the assumption you prolly already know anyway) 4. Logon to your windows domain and check that folder redirection is working. Logoff once you have achieved this. 5. Change the permissions so access is via ACLs only: chown -R root.root test_dir; setfacl -R -m test_user:rwx test_dir; setfacl -R -m default:test_user:rwx test_dir 6. Logon to your windows domain once again and windows is no longer able to redirect folders to this share (IE's History folder is a good one to experiment with). Cheers, Grant> From: grantb @ WebDS <grantb@webds.com.au> > To: samba@lists.samba.org > Subject: [Samba] Folder Redirection broken if access is from ACL only > Date: Tue, 19 Apr 2005 09:09:00 +1000 > > I have an issue with W2K/XP using Folder Redirection to a Samba homes > share (or any share for that matter). This is only a problem when access > for a user is via an ACE (ACL) and not the traditional file system > permissions. > > So for example (user is cath in this example): > > [root@gandalf users]# ll -d cath > drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath > > [root@gandalf users]# getfacl cath > # file: cath > # owner: root > # group: root > user::rwx > user:cath:rwx > group::--- > mask::rwx > other::--- > default:user::rwx > default:user:cath:rwx > default:group::--- > default:mask::rwx > default:other::--- > > I have also tried this using the "profile acls = yes" option, but with no > success (works fine for roaming profiles tho, as it was designed to do). > > It seems that Windows may be trying to set ACLs on index.dat which fails > when access is via ACLs only. Here's an indication of this from the smbd > log: > [2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) > set_canon_ace_list: sys_acl_set_file failed for file > k-drive/History/History.IE5/MSHist012005041220050413/index.dat (Operation > not permitted). > [2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270) DBR05A+cath > closed file k-drive/History/History.IE5/MSHist012005041220050413/i > ndex.dat (numopen=3) > > Any help would be appreciated. I expect that this may be an Samba issue > that might need to be looked at by the samba-technical gods. > > Jeremy did ask for additional diagnostic detail, which I sent. However he's probably > been side tracked by something more important. > > Cheers, Grant >
Grant Bigham
2005-Apr-30 10:42 UTC
[Samba] Folder Redirection broken if access is from ACL only
I have an issue with W2K/XP using Folder Redirection to a Samba homes share (or any share for that matter). This is only a problem when access for a user is via an ACE (ACL) and not the traditional file system permissions. The problem is on Linux (various distribs (SLES8 and FC2) 2.4 and 2.6 Kernels), and Samba-3.0.11 on ext3 file systems mounted with user_xattr,acl options. This is not an ACL problem as such. Access to shares and the data within is fine using ACLs, it only becomes a problem when Windows tried to access redirected folders on Samba, where that access is granted via ACLs only. So for example (user is cath in this example): [root@gandalf users]# ls -ld cath drwxrwx---+ 5 root root 4096 Apr 15 20:40 cath [root@gandalf users]# getfacl cath # file: cath # owner: root # group: root user::rwx user:cath:rwx group::--- mask::rwx other::--- default:user::rwx default:user:cath:rwx default:group::--- default:mask::rwx default:other::--- I've tested this using the "profile acls = yes" option also, as I suspected windows may have being attempting similar access checks that made this necessary for roaming profiles on Samba shares, but the problem was still present. It seems that Windows may be trying to set ACLs on index.dat which fails when access is via ACLs only. Here's an indication of this from the smbd log: [2005/04/12 21:44:55, 2] smbd/posix_acls.c:set_canon_ace_list(2436) set_canon_ace_list: sys_acl_set_file failed for file k-drive/History/History.IE5/MSHist012005041220050413/index.dat (Operation not permitted). [2005/04/12 21:44:55, 2] smbd/close.c:close_normal_file(270) DBR05A+cath closed file k-drive/History/History.IE5/MSHist012005041220050413/index.dat (numopen=3) It's easy to re-create. 1. Setup a test share 2. Setup permissions on share directory: chown -R test_user test_dir; 3. Setup your Windows image to redirect folders to your test share (I wont go into details on how to do this on the assumption you prolly already know anyway) 4. Logon to your windows domain and check that folder redirection is working. Logoff once you have achieved this. 5. Change the permissions so access is via ACLs only: chown -R root.root test_dir; setfacl -R -m test_user:rwx test_dir; setfacl -R -m default:test_user:rwx test_dir 6. Logon to your windows domain once again and windows is no longer able to redirect folders to this share (IE's History folder is a good one to experiment with). Cheers, Grant