Sorry for the report, but I got exactly zero replies, so I will try again:
Way back on Mar 10 2004, I wrote this: >
> ==========
> Perhaps this is a known problem, and if so, hopefully it is fixed
> in 3.x:
>
> Win2K SP4 clients, Samba 2.2.8a servers on Linux using ACL
> support with
> XFS filesystem (Redhat SGI-XFS build, and Mandrake 9.2).
>
> Adding/editing an ACL for an NT domain group (or user) to a
> folder on samba, and
> attempting to apply permissions to all subdirs and files only
> goes one
> level deep when using the win2k standard gui tool. ie: Only
> ACLS for the
> selected folder and files in top level are touched. Problem does
> not occur
> when using an NT4 client. Interestingly, using the NT4 security
> dialog on
> win2k (by way of the RSHXMENU powertoy for NT) works fine
> on win2K.
>
> Is this a known issue? I can provide conf and debug output if
> necessary,
> but I assumed someone else must have seen this already (and
> fixed it? :-)
> ==========
>
> Then, I got this reply:
>
> >On 24 Mar 2004 at 9:13, Gerald (Jerry) Carter wrote:
> >
> > Yup. It is fixed in 3.0 what what I remember. Jeremy worked
> on it.
>
> Eventually I got around to upgrading the affected servers to
> 3.0.11, but the problem persists, and I didn't have time to dig
> into it. Now I need to replace two samba servers, and would
> like to resolve this issue. I've now read the release notes from
> 3.0.12 to 3.0.20RC2 and couldn't find mention of a fix.
I am now running 3.0.14a, but the permissions recursion problem still exists.
Each time I apply permissions to a tree using the Win2K GUI, the addition or
removal of an ACL will move exactly one level deeper than before. I
n other words, if the tree is 4 levels deep, it will take 3 passes of the
operation before the ACL change appears in the 4th level. This long
standing problem is seriously limiting our migration to samba. Can
someone please tell me if this has been fixed in 3.0.20?
I have offered configs, debug, etc. and the offer still stands. I just want to
see this problem fixed, and can't believe it is not affecting more users.
For the record, here is the environment:
Mandrake 10.1 with ACL support on XFS
The share used for testing the issue is the "home" share.
PDC is running NT4 SP6a
Client used for setting ACLs running Win2K SP4, tested using GUI, cacls,
and xcacls.
Build options:
./configure --with-winbind --with-acl-support --with-quotas --
sbindir=/usr/sbin --bindir=/usr/bin --localstatedir=/var/log/samba --with-
swatdir=/usr/share/swat --with-lockdir=/var/cache/samba --with-
configdir=/etc/samba --with-piddir=/var/run
conf file:
[global]
workgroup = SHAWNIGAN
netbios name = ADMIN3
server string = ADMIN3 Server
winbind uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
winbind separator = +
winbind enum groups = yes
disable spoolss = yes
unix password sync = no
max xmit = 65535
hosts allow = 10. 72.2.0.
dns proxy = no
oplocks = yes
inherit permissions = yes
debug level = 1
security = domain
getwd cache = yes
log level = 3
read raw = yes
write raw = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
SO_RCVBUF=16384 SO_SNDBUF=16384
wins server = 72.2.0.5 72.2.0.4
create mask = 0700
domain master = no
map to guest = never
null passwords = no
encrypt passwords = yes
template shell = /bin/false
dead time = 0
password level = 0
password server = *
directory mask = 0700
preferred master = no
[homes]
comment = Staff Home Directories
browseable = no
writable = yes
available = yes
public = no
create mask = 2700
inherit permissions = yes
nt acl support = no
force group = "shawnigan+domain users"
force security mode = 0777
path = /home/staff/%U
[home]
comment = Homes
browseable = yes
writable = yes
available = yes
public = no
only user = no
path=/home
valid users = @"shawnigan+domain admins"
admin users = @"shawnigan+domain admins"
[sysroot]
comment = sysroot
valid users = @"shawnigan+domain admins"
admin users = @"shawnigan+domain admins"
writeable = yes
path = /
hosts allow =10.4. 72.2.0.
[staffhome]
comment = Staff Homes - Web Access
browseable = yes
writable = yes
available = yes
public = no
only user = no
path=/home/staff
valid users = @"shawnigan+domain admins","shawnigan+Apache-
Internal"
admin users = @"shawnigan+domain admins"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca