According to the smb.conf man page, the "dos filemode" parameter will
allow a user who is not the owner of a file to affect permissions changes on a
file or folder provided he has write access to that object. This does not
appear to be the case. Users with write access via user or group ACEs receive
an "Access denied" error when attempting to make ACL changes via
windows, accompanaied by an "operation not permitted" error in the
client's log file on the file server.
Example
Share "testshare" is created with the following entry in the smb.conf:
[testshare]
comment = test share
path = /export/data/testshare
read only = no
store dos attributes = yes
dos filemode = yes
An empty folder called test is created and the following ACL is applied :
# file: test
# owner: daniel
# group: sys
user::rwx
user:scott:rwx
user:daniel:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:scott:rwx
default:user:daniel:rwx
default:group::rwx
default:group:sys:rwx
default:mask::rwx
default:other::---
User daniel (the folder's owner) has write access to the folder and can
modify the ACL. User scott also has write access to the folder due to his entry
in the ACL. He can write to the folder, but cannot modify the ACL or alter any
individual ACEs. This is the same behavior seen with the "dos
filemode" parameter disabled. I've also tried opening up the
permissions completely by chmod'ing the directory to 0777 and adjusting the
ACL with no positive effect. In all cases, only the owner can adjust the ACL.
Here's an example of the error in the client log (log level 10)
[2005/11/09 09:53:55, 2] smbd/posix_acls.c:set_canon_ace_list(2486)
set_canon_ace_list: sys_acl_set_file type file failed for file test (Operation
not permitted).
[2005/11/09 09:53:55, 3] smbd/posix_acls.c:set_nt_acl(3205)
set_nt_acl: failed to set file acl on file test (Operation not permitted).
[2005/11/09 09:53:55, 3] smbd/error.c:error_packet(147)
error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
I've also noticed that read-only flag is "half checked" (the
in-between state of a tri-mode flag) on the folder (in the properties dialog,)
indicating that some of the items underneath are read only and some are not.
How can this be, since the folder is empty? Changing this flag, either as user
daniel or scott, does not have any permanent effect, though user scott does NOT
receive an access denied message when he attempts to change it.
acls and user_xattrs are set in the fstab and have been tested, and ldd run on
smbd reveals that libacl and libattr have been compiled in. All test systems
were members of an AD domain but joined as pre-win2k clients. The smb.conf is
included below.
I've seen the described behavior on the following configurations :
Kernel Samba Rev. Filesystem
Linux 2.6.5 (x86_64) 3.0.14a ReiserFS
Linux 2.6.5 (x86_64) 3.0.9 ReiserFS
Linux 2.6.5 (i386) 3.0.14a ReiserFS
Linux 2.6.5 (i386) 3.0.20b ext3
Any thoughts?
Thanks,
Scott F. Crosby
[global]
workgroup = ADDOMAIN
server string = Test Samba Server
map to guest = Bad User
host msdfs = yes
smb passwd file = /etc/samba/smbpasswd
security = domain
encrypt passwords = yes
#password server = *
password server = 192.168.100.10 192.168.100.11
wins server = 192.168.100.10 192.168.100.11
log file = /var/log/samba/log.%m
log level = 3
max log size = 4096
local master = no
dns proxy = no
load printers = yes
printing = cups
printcap name = cups
printer admin = @domadmin
[print$]
comment = Printer Drivers
path = /etc/samba/drivers
browseable = yes
guest ok = yes
read only = yes
write list = @domadmin
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[test]
comment = test
path = /export/data/test
read only = no
store dos attributes = yes
dos filemode = yes