sylvain.david@etranges-libellules.fr
2006-Jun-29 07:58 UTC
[Samba] Samba PDC + ACL : default ACLs ignored on directory
Hi all, I use Debian Sarge and Samba 3.0.22 with ACLs. The server is a PDC. I have about 70 clients workstation running both Windows XP SP1 and SP2. All works pretty good, all but the directory copy, wich forget ACLs in a particular case : When a client copy a local directory on a samba share, the defaults ACLs aren't applied. But this problem comes only when the client local directory owner is DOMAIN\USER. If the client local directory owner is LOCALPC\USER, the default ACLs are applied during the copy. In fact I wonder if this is the normal behavior of Samba : if the owner is the domain user, perhaps samba try to copy the ACLs with the file? But that's not what I want samba does. I would like that the only the default ACLs to be applied. And the things which makes me think that it's a bug, is that this behavior is not appening on a file copy : a local file owner DOMAIN\USER copied on a samba share gets the default ACLs of the directory in which they are copied. So, I think I have 3 solutions : - create all the group and all users on all the workstations, and then sets the local security correctly on every workstation directory tree. but this is impossible because i'm alone to manage all the workstation, and new users are created and old deleted every month - make a script watching the ACLs on the server. But this is dirty... - Hope there's a solution in configuration or a patch. I tried "security mask" and "directory security mode" to prevent user from modifying ACLs, it works, but only on POSIX and the default ACLs are still forget. inherit permission is neither the solution. In fact the dream solution is a way wich makes the samba behavior totally ignoring local security and applying the server security. But how ? Here's my smb.conf : # ----------------------------------------------------------------------------- # Global parameters # ----------------------------------------------------------------------------- [global] dos charset = 850 unix charset = ISO8859-1 workgroup = elb-lyon netbios name = server02 server string = server02.elb-lyon os level = 65 domain logons = Yes domain master = Yes local master = Yes preferred master = Yes wins support = Yes obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat debug = Yes pam password change = Yes unix password sync = Yes syslog = 0 log level = 2 # log level max = 10 log file = /var/log/samba/log.%m max log size = 25600 dns proxy = No panic action = /usr/share/samba/panic-action %d invalid users = root2 # param?tres samba utilisateur par defaut logon drive = P: logon home = \\server02\%U logon path = \\server02\profiles\%U logon script = %U.cmd # gestion des comptes posix automatique :) # Gestion des comptes POSIX add machine script = /usr/sbin/useradd -g sambamachines -c Machine -d /dev/null -s /bin/false '%u' add user script = /usr/sbin/useradd -g sambausers -c Utilisateur -d /dev/null -s /bin/false '%u' add group script = /usr/sbin/groupadd '%g' add user to group script = /usr/bin/gpasswd -a '%u' '%g' delete user script = /usr/sbin/userdel -r '%u' delete group script = /usr/sbin/groupdel '%g' delete user from group script = /usr/bin/gpasswd -d '%u' '%g' set primary group script = /usr/sbin/usermod -g '%g' '%u' veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/ guest account = guest hosts allow = 192.168.0. 127. # ----------------------------------------------------------------------------- # Necessaire Domaine # ----------------------------------------------------------------------------- [homes] path = /mnt/SAN01/vd3_home2/home2/%u comment = Home Directories valid users = %S guest ok = No writable = Yes create mask = 0700 directory mask = 0700 browseable = No [netlogon] path = /mnt/SAN01/vd3_home2/netlogon comment = Partage NetLogon valid users = @sambausers @sambaguests root guest ok = No read only = Yes browseable = No [profiles] path = /mnt/SAN01/vd3_home2/profiles comment = Profils utilisateurs valid users = @sambausers @sambaguests root guest ok = No writable = Yes create mode = 0700 browseable = No # ----------------------------------------------------------------------------- # Imprimantes # ----------------------------------------------------------------------------- [printers] path = /tmp comment = All printers valid users = @sambausers guest ok = No create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers # ----------------------------------------------------------------------------- # Partages :) # ----------------------------------------------------------------------------- [vd1_echange] comment = Zone d'echange interne et FTP Pantin. path = /mnt/SAN01/vd1_echange valid users = root @sambaadmins @sambaguests @User_Standard guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = yes inherit acls = yes hide unreadable = Yes # directory security mask = 0000 # force directory security mode = 0777 [vd2_gestion] comment = Administration, compta, gestion. path = /mnt/SAN01/vd2_gestion valid users = root @sambaadmins @Gestion_Level0, @Gestion_Level1, @Gestion_Level2, @Gestion_Level3 guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = Yes inherit acls = yes hide unreadable = Yes [vd3_home2] comment = Dossiers priv?s path = /mnt/SAN01/vd3_home2 valid users = root @sambaadmins guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = Yes inherit acls = yes hide unreadable = Yes csc policy = disable [vd4_archive] comment = Archives Design, Develop, Graphisme, Logiciels path = /mnt/SAN01/vd4_archive valid users = root @sambaadmins @User_Standard, @Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = Yes inherit acls = yes hide unreadable = Yes [vd5_projet] comment = Les Projets path = /mnt/SAN01/vd5_projet valid users = root @sambaadmins @Projet_one @Projet_two @Projet_three @Projet_four guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = Yes inherit acls = yes hide unreadable = Yes [vd6_backup] comment = Backups [reserv? admin] path = /mnt/SAN01/vd6_backup valid users = root @sambaadmins guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = Yes inherit acls = yes hide unreadable = Yes [vd7_video] comment = Montages Videos path = /mnt/SAN01/vd7_video valid users = root @sambaadmins @User_MontageVideo guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = Yes inherit acls = yes hide unreadable = Yes -- Sylvain DAVID / administrateur r?seau adr : Etranges Libellules .~. 17 Rue des Archers /v\ 69002 LYON /(?)\ tel : 04 72 40 24 72 ^^-^^ fax : 04 72 40 27 19 www.etranges-libellules.fr --
sylvain.david@etranges-libellules.fr
2006-Jun-30 16:29 UTC
[Samba] Samba PDC + ACL : default ACLs ignored on directory
I'm sorry, perhaps you don't understand my poor english - I'm french... - but did someone know how to force ACLs to be apply particulary in the case described below ? Or is there a way to execute script at directory creation (a kind of trigger) ? Thank you, Sylvain DAVID. sylvain.david@etranges-libellules.fr a ?crit :> Hi all, > > I use Debian Sarge and Samba 3.0.22 with ACLs. The server is a PDC. I > have about 70 clients workstation running both Windows XP SP1 and SP2. > > All works pretty good, all but the directory copy, wich forget ACLs in > a particular case : > When a client copy a local directory on a samba share, the defaults > ACLs aren't applied. But this problem comes only when the client local > directory owner is DOMAIN\USER. If the client local directory owner is > LOCALPC\USER, the default ACLs are applied during the copy. > In fact I wonder if this is the normal behavior of Samba : if the > owner is the domain user, perhaps samba try to copy the ACLs with the > file? But that's not what I want samba does. I would like that the > only the default ACLs to be applied. And the things which makes me > think that it's a bug, is that this behavior is not appening on a file > copy : a local file owner DOMAIN\USER copied on a samba share gets the > default ACLs of the directory in which they are copied. > > So, I think I have 3 solutions : > - create all the group and all users on all the workstations, and then > sets the local security correctly on every workstation directory tree. > but this is impossible because i'm alone to manage all the > workstation, and new users are created and old deleted every month > - make a script watching the ACLs on the server. But this is dirty... > - Hope there's a solution in configuration or a patch. I tried > "security mask" and "directory security mode" to prevent user from > modifying ACLs, it works, but only on POSIX and the default ACLs are > still forget. inherit permission is neither the solution. > > In fact the dream solution is a way wich makes the samba behavior > totally ignoring local security and applying the server security. But > how ? > > Here's my smb.conf : > > # > ----------------------------------------------------------------------------- > > # Global parameters > # > ----------------------------------------------------------------------------- > > [global] > dos charset = 850 > unix charset = ISO8859-1 > workgroup = elb-lyon > netbios name = server02 > server string = server02.elb-lyon > os level = 65 > domain logons = Yes > domain master = Yes > local master = Yes > preferred master = Yes > wins support = Yes > > obey pam restrictions = Yes > passdb backend = tdbsam, guest > passwd program = /usr/bin/passwd %u > passwd chat = *New*UNIX*password* %n\n > *ReType*new*UNIX*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > passwd chat debug = Yes > pam password change = Yes > unix password sync = Yes > > syslog = 0 > log level = 2 > # log level max = 10 > log file = /var/log/samba/log.%m > max log size = 25600 > dns proxy = No > panic action = /usr/share/samba/panic-action %d > invalid users = root2 > > # param?tres samba utilisateur par defaut > logon drive = P: > logon home = \\server02\%U > logon path = \\server02\profiles\%U > logon script = %U.cmd > > # gestion des comptes posix automatique :) > # Gestion des comptes POSIX > add machine script = /usr/sbin/useradd -g sambamachines -c > Machine -d /dev/null -s /bin/false '%u' > add user script = /usr/sbin/useradd -g sambausers -c > Utilisateur -d /dev/null -s /bin/false '%u' > add group script = /usr/sbin/groupadd '%g' > add user to group script = /usr/bin/gpasswd -a '%u' '%g' > delete user script = /usr/sbin/userdel -r '%u' > delete group script = /usr/sbin/groupdel '%g' > delete user from group script = /usr/bin/gpasswd -d '%u' '%g' > set primary group script = /usr/sbin/usermod -g '%g' '%u' > > veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/ > > guest account = guest > > hosts allow = 192.168.0. 127. > > # > ----------------------------------------------------------------------------- > > # Necessaire Domaine > # > ----------------------------------------------------------------------------- > > [homes] > path = /mnt/SAN01/vd3_home2/home2/%u > comment = Home Directories > valid users = %S > guest ok = No > writable = Yes > create mask = 0700 > directory mask = 0700 > browseable = No > > [netlogon] > path = /mnt/SAN01/vd3_home2/netlogon > comment = Partage NetLogon > valid users = @sambausers @sambaguests root > guest ok = No > read only = Yes > browseable = No > > [profiles] > path = /mnt/SAN01/vd3_home2/profiles > comment = Profils utilisateurs > valid users = @sambausers @sambaguests root > guest ok = No > writable = Yes > create mode = 0700 > browseable = No > > # > ----------------------------------------------------------------------------- > > # Imprimantes > # > ----------------------------------------------------------------------------- > > [printers] > path = /tmp > comment = All printers > valid users = @sambausers > guest ok = No > create mask = 0700 > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > # > ----------------------------------------------------------------------------- > > # Partages :) > # > ----------------------------------------------------------------------------- > > [vd1_echange] > comment = Zone d'echange interne et FTP Pantin. > path = /mnt/SAN01/vd1_echange > valid users = root @sambaadmins @sambaguests @User_Standard > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = yes > inherit acls = yes > hide unreadable = Yes > # directory security mask = 0000 > # force directory security mode = 0777 > > [vd2_gestion] > comment = Administration, compta, gestion. > path = /mnt/SAN01/vd2_gestion > valid users = root @sambaadmins @Gestion_Level0, > @Gestion_Level1, @Gestion_Level2, @Gestion_Level3 > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = Yes > inherit acls = yes > hide unreadable = Yes > > [vd3_home2] > comment = Dossiers priv?s > path = /mnt/SAN01/vd3_home2 > valid users = root @sambaadmins > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = Yes > inherit acls = yes > hide unreadable = Yes > csc policy = disable > > [vd4_archive] > comment = Archives Design, Develop, Graphisme, Logiciels > path = /mnt/SAN01/vd4_archive > valid users = root @sambaadmins @User_Standard, > @Archive_Develop, @Archive_Design, @Archive_Graphisme, @Archive_Logiciels > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = Yes > inherit acls = yes > hide unreadable = Yes > > [vd5_projet] > comment = Les Projets > path = /mnt/SAN01/vd5_projet > valid users = root @sambaadmins @Projet_one @Projet_two > @Projet_three @Projet_four > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = Yes > inherit acls = yes > hide unreadable = Yes > > [vd6_backup] > comment = Backups [reserv? admin] > path = /mnt/SAN01/vd6_backup > valid users = root @sambaadmins > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = Yes > inherit acls = yes > hide unreadable = Yes > > [vd7_video] > comment = Montages Videos > path = /mnt/SAN01/vd7_video > valid users = root @sambaadmins @User_MontageVideo > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = Yes > inherit acls = yes > hide unreadable = Yes > >
Maybe Matching Threads
- samba 3.0.22 default ACL issue
- sometimes, roaming profile is not found
- [LLVMdev] Compile-rt throw error undeclared identifier 'O_CLOEXEC'
- [LLVMdev] Compile-rt throw error undeclared identifier 'O_CLOEXEC'
- Samba mounted home shares will break many applications