Aaron Kincer
2007-Jun-01 21:46 UTC
[Samba] 3.0.24 -- Office read only issue, bizarre EAs and disappearing ACLs
Everyone,
I have finally resolved the new heartburn 3.0.24 on Ubuntu Feisty was
giving me and have stumbled upon some information that might help others
out there.
I was seeing problems with ACL entries getting mangled and disappearing,
Excel making files read only and extended attributes doing bizarre
things. The solution revolved around what appears to be a change in how
ACLs are managed. With 3.0.22 on Ubuntu 6.06 and 6.10, I didn't see have
this issue.
Without properly configured default entries on folders, Excel seems to
mangle user and group ACLs. In the share definition below, you see map
read only, archive, system and hidden all set to "no". Without this
(at
least for read only) saving files in Excel sets the user.DOSATTRIB value
to 0x1 (read only) when it should be 0x20 (archive).
On a related issue, I still can't get Microsoft Word 2003 to set the
archive bit when changes are made. I've posted a workaround here before,
but this one still bugs me. I wish there were a way to tell Samba to set
the archive flag on a file using user.DOSATTRIB whenever a file is
modified. Perhaps this is not reasonable or would create too much
overhead. I'm thinking comparing the modified date at the time a file
was opened to the modified date when it is closed. Hopefully the
developers out there can provide insight.
Here are steps to reproduce the problem I described above:
1) Configure server with settings below (minus the map read only = no
setting on the share)
2) Create a folder called testfolder in the common share with no default
ACL entries
3) Create an Excel spreadsheet in testfolder
4) Add UserA to the group GroupA that has rwx ACL permissions to the
folder and file (command to add rwx is setfacl -m
group:"domain+GroupA":rwx /share/common/testfolder)
5) Make UserB and GroupB the UNIX owner file and group (chown
"domain+UserB" /share/common/testfolder/test.xls and chgrp
"domain+GroupB" /share/common/testfolder/test.xls)
6) Open the file with UserA
7) Make a change and save it
ACL on testfolder before
# file: ../testfolder
# owner: DOMAIN+UserB
# group: DOMAIN+GroupB
user::rwx
user:DOMAIN+UserB:rwx
group::rwx
group:DOMAIN+GroupA:rwx
group:DOMAIN+GroupB:rwx
mask::rwx
other::---
ACL on test.xls before UserA makes a change:
# file: test.xls
# owner: DOMAIN+UserB
# group: DOMAIN+GroupB
user::rwx
user:DOMAIN+UserB:rwx
group::rwx
group:DOMAIN+GroupA:rwx
group:DOMAIN+GroupBA:rwx
mask::rwx
other::---
ACL on test.xls after UserA makes a change:
# file: test.xls
# owner: DOMAIN+UserA
# group: DOMAIN+GroupB
user::r--
user:DOMAIN+UserB:rwx
group::---
group:DOMAIN+GroupA:rwx
group:DOMAIN+GroupBA:rwx
mask::rwx
other::---
Reopening the file at this point shows that it is read only in Excel.
Now, reset permissions and add map read only = no to the share definition:
setfattr -n user.DOSATTRIB -v \"0x0\"
/share/common/testfolder/test.xls
chown "domain+UserB" /share/common/testfolder/test.xls
chgrp "domain+GroupB" /share/common/testfolder/test.xls
setfacl -m user::rwx /share/common/testfolder/test.xls
setfacl -m group::rwx /share/common/testfolder/test.xls
setfacl -m user::rwx /share/common/testfolder
setfacl -m group::rwx /share/common/testfolder
setfacl -d -m user::rwx /share/common/testfolder
setfacl -d -m user:UserB:rwx /share/common/testfolder
setfacl -d -m group::rwx /share/common/testfolder
setfacl -d -m group:"domain+GroupA":rwx /share/common/testfolder
setfacl -d -m group:"domain+GroupB":rwx /share/common/testfolder
Then the problem is solved. The ACL for testfolder now looks like this:
# file: testfolder
# owner: DOMAIN+UserB
# group: DOMAIN+GroupB
user::rwx
user:DOMAIN+UserB:rwx
group::rwx
group:DOMAIN+GroupA:rwx
group:DOMAIN+GroupB:rwx
mask::rwx
other::---
default:user::rwx
default:user:DOMAIN+UserB:rwx
default:group::rwx
default:group:DOMAIN+GroupA:rwx
default:group:DOMAIN+GroupB:rwx
default:mask::rwx
default:other::---
If you want to propagate the default settings throughout the directory
structure, you can do this:
find -type d /share/common -exec setfacl -d -m user::rwx {} \;
Here is information on my setup:
OS: Ubuntu 7.04 Feisty Server
Samba: 3.0.24 (3.0.24-2ubuntu according to dpkg)
acl: 2.2.42 (2.2.42-1ubuntu1)
attr: 2.4.32 (2.4.32-1.1ubuntu1)
File system: ext3 with acl and user_xattr enabled
Network environment: Active Directory native via Windows Server 2003
Samba configuration:
assume:
domain name: domain
long name: domain.local
file server name: FS01
local subnet: 192.168.1.0/24
remote subnet: 192.168.0.0/24
domain controllers: DC01 and DC02
shares root folder location: /share/
[global]
kernel oplocks = yes
client use spnego = yes
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = FS01
security = ADS
log level = 2
log file = /var/log/samba/%m.log
max log size = 1000
server signing = auto
printcap name = /etc/printcap
os level = 0
preferred master = no
local master = no
domain master = no
remote announce = 192.168.0.255
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
hosts allow = 192.168.0., 192.168.1., 192.168.2., 127.
printing = cups
cups options = raw
print command lpq command = %p
lprm command disable netbios = no
netbios name = FS01
announce as = NT Server
announce version = 4.9
browse list = yes
client signing = auto
socket options = TCP_NODELAY
host msdfs = no
password server = DC01, DC02
[common]
comment = common drive
path = /share/common
read only = no
guest ok = no
nt acl support = yes
inherit acls = yes
inherit permissions = yes
map acl inherit = yes
ea support = yes
store dos attributes = yes
map archive = no
map hidden = no
map read only = no
map system = no
dos filemode = yes
I hope this helps someone out there.
Aaron Kincer
Seemingly Similar Threads
Wisdom of the Ancients
