samba - Dec 2005 - Samba Posix ACL and classical files permissions

Hi,

i'm experiencing a strange behavior in the way samba shows file and 
folders permissions under windows explorer.

When i open the folder or file properties under windows (xp sp2 btw), it 
shows in the Security panel all the entries, both classical posix ones 
and posix acl ones; but if i select each one of them to see file 
permissions, it will show only the permission of users indicated in the 
file posix acls.

For example, this is the getfacl under linux:

# file: Operators
# owner: albe
# group: Domain\040Admins
user::rwx
user:alessandroc:r-x
group::r--
group:SwDevelopers:r-x
mask::rwx
other::r--
default:user::rwx
default:user:albe:r--
default:user:alessandroc:r-x
default:group::r--
default:group:SwDevelopers:r-x
default:mask::rwx
default:other::r--

If i look at the security properties under windows only the entries 
directly indicated explicitly in the acl is correctly shown, so in this 
case user "alessandroc" and group "SwDevelopers". The others
are empty.
If i open the advanced panel, it shows me user "albe" entry twice, one
for the classical posix permissions and one for the acl permission. 
Anyway, under this panel all permissions are correctly shown.

Is this an expected behavior or is there something wrong in my samba 
installation or configuration file?

I hope to have explained myself correctly.

I remain at disposal.

Cheers


Albe

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Albe wrote:
> For example, this is the getfacl under linux:
> 
> # file: Operators
> # owner: albe
> # group: Domain\040Admins
> user::rwx
> user:alessandroc:r-x
> group::r--
> group:SwDevelopers:r-x
> mask::rwx
> other::r--
> default:user::rwx
> default:user:albe:r--
> default:user:alessandroc:r-x
> default:group::r--
> default:group:SwDevelopers:r-x
> default:mask::rwx
> default:other::r--
> 
> If i look at the security properties under windows only 
> the entries directly indicated explicitly in the acl is correctly
> shown, so in this case user "alessandroc" and group
"SwDevelopers".
> The others are empty. If i open the advanced panel, it shows me
> user "albe" entry twice, one for the classical posix permissions
> and one for the acl permission. Anyway, under this panel all
> permissions are correctly shown.
> 
> Is this an expected behavior or is there something wrong 
> in my samba installation or configuration file?
This is expected behavior.  The key thing to understand is that
the Windows security GUI only shows permissions in the first tab
if the ACE applies to "This folder, subfolders, & files".
The posix ACE for a user or group is the "This folder" part and
the default ACE for that user or group is the "subfodlers & files"
portion.  However, the default user and group ACE is the
CREATOR OWNER/GROUP.  So you need an additional 'default:user:albe:rwx'
entry to get the "subfolders & files" for the actual owner.

Hope this helps.





cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDu+dDIR7qMdg1EfYRAnyoAJoDyt75UryjivGh3xZccQkNM2osAwCgmHzI
kP0YGdcQhwtq6TyBKFpDkcA=pVDc
-----END PGP SIGNATURE-----

Well, when i first installed samba without POSIX ACLs, it simply showed 
the classical rwx permissions of the owner, group and others  as the 
corresponding permissions in the "allow" column of the security panel.

I would suggest to consider ACLs if present, otherwise to show the 
classical permissions, which i think reflects the real behavior in linux.

Am i wrong?


albe


Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Albe wrote:
>   
>> Thank you very much.
>>
>> I think though that this is very misleading for the 
>> casual windows user and the behavior should be as much
>> as possible pertinent or understandable.
>>     
>
> It is inuitive once you understand it, but perhaps not
> well documented.  Unless of course, you have a suggestion
> for a better way to map posix acls onto Windows security
> descriptors?
>
>
>
>
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDu//QIR7qMdg1EfYRAvizAJ9p+vlci0XgwQwDMrdUgogBAH2cCwCgqMK5
> OnkuFkq3ooF4Bc+eZy8BqF4> =aXYH
> -----END PGP SIGNATURE-----
> .
>
>