I've been working at this for a few days now and I can't figure out what is broken. Google turns up similar issues from years back, but I hope this is a bug resurfacing. ACL entries are being deleted when files are saved. Here is an example: username: user1 group membership: Domain Users directory: /share/test file: test.xls getfacl /share # file: share # owner: DOMAIN+backupuser # group: DOMAIN+domain\040users user::rwx user:DOMAIN+backupuser:rwx group::rwx group:DOMAIN+domain\040users:rwx mask::rwx other::rwx getfacl /share/test # file: share/test # owner: DOMAIN+backupuser # group: DOMAIN+domain\040admins user::rwx group::rwx group:DOMAIN+domain\040users:rwx group:DOMAIN+domain\040admins:rwx mask::rwx other::rwx getfacl /share/test/test.xls # file: test.xls # owner: DOMAIN+backupuser # group: DOMAIN+domain\040admins user::rwx user:DOMAIN+backupuser:rwx group::rwx group:DOMAIN+domain\040users:rwx group:DOMAIN+domain\040admins:rwx mask::rwx other::rwx If user1 opens the file in excel, makes a change and saves it, then the facl for test.xls becomes: # file: test.xls # owner: DOMAIN+user1 # group: DOMAIN+domain\040users user::rwx user:DOMAIN+backupuser:rwx group::rwx group:DOMAIN+domain\040admins:rwx mask::rwx other::rwx The entry for Domain Users was deleted. Note that I have the default group other set to rwx as a work around because it causes users to be locked out of their files. If you want to see something really strange, you should see what happens if I change the file and group owner back to what it was before user1 modified it and let user1 save it again. But for now, I need to know how to fix this. Anyone have any ideas? My config from 3.0.22 didn't change, but I've tried a variety of things to fix this. I've got these all set: [global] store dos attributes = Yes dos filemode = Yes dos filetime resolution = Yes acl compatibility = yes ea support = Yes map acl inherit = yes inherit permissions = Yes inherit acls = Yes [test] comment = test drive path = /share/test read only = No create mask = 0777 directory mask = 0777 guest ok = Yes map readonly = permissions nt acl support = yes inherit acls = yes Any ideas would be greatly appreciated. Thanks, Aaron Kincer
Carlos Eduardo Pedroza Santiviago
2007-May-07 14:49 UTC
[Samba] 3.0.24 and disappearing ACL entries
Hi, On 5/1/07, Aaron Kincer <kincera@gmail.com> wrote:> I've been working at this for a few days now and I can't figure out what > is broken. Google turns up similar issues from years back, but I hope > this is a bug resurfacing. ACL entries are being deleted when files are > saved. Here is an example: >Any info on this? I'm having similar problems, when a user with the M$ Suite saves his files. $ getfacl * # file: teste.doc # owner: cadu # group: XXXEMP user::rwx group::rwx group:XXXAED:rwx group:XXXEXT:r-x group:XXXGES:rwx mask::rwx other::--- # file: teste.ods # owner: cadu # group: XXXEMP user::rwx group::rwx group:XXXAED:rwx group:XXXEMP:rwx group:XXXEXT:r-x group:XXXGES:rwx mask::rwx other::--- After saving file "teste.doc", it removed the ACL for the EMP group. That didn't happen when i saved "teste.ods", using OpenOffice suite. -- Carlos Eduardo Pedroza Santiviago
Interaction with the Standard Samba “create mask” Parameters There are four parameters that control interaction with the standard Samba create mask parameters: * security mask * force security mode * directory security mask * force directory security mode When a user clicks on OK to apply the permissions, Samba maps the given permissions into a user/group/world r/w/x triplet set, and then checks the changed permissions for a file against the bits set in the security mask parameter. Any bits that were changed that are not set to 1 in this parameter are left alone in the file permissions. Essentially, zero bits in the security mask may be treated as a set of bits the user is not allowed to change, and one bits are those the user is allowed to change. If not explicitly set, this parameter defaults to the same value as the create mask parameter. To allow a user to modify all the user/group/world permissions on a file, set this parameter to 0777. Next Samba checks the changed permissions for a file against the bits set in the force security mode parameter. Any bits that were changed that correspond to bits set to 1 in this parameter are forced to be set. Essentially, bits set in the force security mode parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be on. If not explicitly set, this parameter defaults to the same value as the force create mode parameter. To allow a user to modify all the user/group/world permissions on a file with no restrictions, set this parameter to 000. The security mask and force security mode parameters are applied to the change request in that order. For a directory, Samba performs the same operations as described above for a file except it uses the parameter directory security mask instead of security mask, and force directory security mode parameter instead of force security mode . The directory security mask parameter by default is set to the same value as the directory mask parameter and the force directory security mode parameter by default is set to the same value as the force directory mode parameter. In this way Samba enforces the permission restrictions that an administrator can set on a Samba share, while still allowing users to modify the permission bits within that restriction. If you want to set up a share that allows users full control in modifying the permission bits on their files and directories and does not force any particular bits to be set on, then set the following parameters in the smb.conf file in that share-specific section: security mask = 0777 force security mode = 0 directory security mask = 0777 force directory security mode = 0 _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Reasonably Related Threads
- /usr/bin/ssh not found when rsync is executed within rsnapshot
- Point biserial correlation => Is there any specific command or could I just use cor.test?
- rsync filter rules ignored by rsnapshot
- 3.0.24 -- Office read only issue, bizarre EAs and disappearing ACLs
- shadow_copy2