samba - Dec 2007 - [POSIX ACLs] Only ACE rules from Samba Primary Group are applied.

Hi,

I've a samba 3.0.24 server running in a debian "alike" OS with a
(Open)LDAP backend and I'm having the following problem:

I have LDAP users that belong to more than one (POSIX) group. For
instance, I have a user2 that belongs to group "users" and
"grupo2" and
I have a share with the following ACL settings:

getfacl /home/shares/share1/
getfacl: Removing leading '/' from absolute path names
# file: home/shares/share1
# owner: user1
# group: grupo1
user::rwx
group::rwx
group:grupo2:r-x
group:users:rw-
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:grupo2:r-x
default:group:users:rw-
default:mask::rwx
default:other::---


user2 has group "grupo2" in the sambaPrimaryGroupSID in LDAP. If I
login
with this user into "share1" and try to create a file it will get
"Permission Denied". If I login as user2 in system and go to share1
folder I'm able to create files, so settings are OK. Also if I use the
"write list = @users" I'm able to create files when I'm
connected to the
share.


In the samba logs I can see that the ACL -> UNIX convertion seems fine:

gid_to_sid: local 100 -> S-1-22-2-100
canonicalise_acl: Access ace entries before arrange :
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms
---
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP perms rw-
canon_ace index 2. Type = allow SID = S-1-22-2-1001 gid 1001 (grupo2)
SMB_ACL_GROUP_OBJ perms r-x
canon_ace index 3. Type = allow SID S-1-5-21-822431398-922470320-1179183166-1666
uid 1666 (user2)
SMB_ACL_USER_OBJ perms rwx
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID S-1-5-21-822431398-922470320-1179183166-1666
uid 1666 (user2)
SMB_ACL_USER_OBJ perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP perms rw-
canon_ace index 2. Type = allow SID = S-1-22-2-1001 gid 1001 (grupo2)
SMB_ACL_GROUP_OBJ perms r-x
canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms
---
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 180 to (NT) 12019f
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0


But when I try to create the file I get:

New file New Text Document (2).txt
unix_mode(New Text Document (2).txt) inheriting from .
unix_mode(New Text Document (2).txt) inherit mode 42770
unix_mode(New Text Document.txt) returning 0760
open_file_ntcreate: fname=New Text Document.txt, dos_attrs=0x80
access_mask=0x2019f share_access=0x7 create_disposition = 0x2
create_options=0x40 unix mode=0760 oplock_request=3
open_file_ntcreate: fname=New Text Document.txt, after mapping
access_mask=0x2019f
allocated file structure 2723, fnum = 6819 (2 used)
calling open_file with flags=0x2 flags2=0x80 mode=0777, access_mask 0x2019f,
open_access_mask = 0x2019f
Permission denied opening New Text Document (2).txt


If I use the "write list = @users" I get:

New file New Briefcase
[2007/12/06 13:54:04, 2] smbd/dosmode.c:unix_mode(96)
  unix_mode(New Briefcase) inheriting from .
[2007/12/06 13:54:04, 2] smbd/dosmode.c:unix_mode(104)
  unix_mode(New Briefcase) inherit mode 42770
[2007/12/06 13:54:04, 3] smbd/dosmode.c:unix_mode(147)
  unix_mode(New Briefcase) returning 0760
[2007/12/06 13:54:04, 10] smbd/open.c:open_file_ntcreate(1144)
  open_file_ntcreate: fname=New Briefcase, dos_attrs=0x80
access_mask=0x2019f share_access=0x7 create_disposition = 0x2
create_options=0x40 unix mode=0760 oplock_request=3
[2007/12/06 13:54:04, 10] smbd/open.c:open_file_ntcreate(1306)
  open_file_ntcreate: fname=New Briefcase, after mapping
access_mask=0x2019f
[2007/12/06 13:54:04, 5] smbd/files.c:file_new(126)
  allocated file structure 5967, fnum = 10063 (2 used)
[2007/12/06 13:54:04, 4] smbd/open.c:open_file_ntcreate(1545)
  calling open_file with flags=0x2 flags2=0xC0 mode=0777, access_mask 0x2019f,
open_access_mask = 0x2019f
[2007/12/06 13:54:04, 10] smbd/open.c:fd_open(56)
  fd_open: name New Briefcase, flags = 0302 mode = 0777, fd = 26.
[2007/12/06 13:54:04, 2] smbd/open.c:open_file(352)
  nelsonvale opened file New Briefcase read=Yes write=Yes (numopen=2)
[2007/12/06 13:54:04, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 1000) : sec_ctx_stack_ndx = 1
[2007/12/06 13:54:04, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2007/12/06 13:54:04, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/06 13:54:04, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)


What I've figured so far is that UNIX file access rules works fine, but
for POSIX ACLs only Primary Group access rules are applied for ACL
settings.

The differences I see between the two cases are in "flags2" variable
in
"calling open_file" FOR THE SAME SHARE, USER AND GROUP SETTINGS:


ACLs only:
	calling open_file with flags=0x2 flags2=0x80 mode=0777, access_mask 0x2019f,
open_access_mask = 0x2019f


"write list":	
	calling open_file with flags=0x2 flags2=0xC0 mode=0777, access_mask 0x2019f,
open_access_mask = 0x2019f



The smb.conf file is like:

[share1]
        security mask = 0777
        inherit owner = yes
        hide unreadable = no
        create mask = 0770
        force directory security mode = 0
        public = no
        directory security mask = 2777
        inherit acls = yes
        nt acl support = yes
        browseable = yes
        writeable = no
        inherit permissions = yes
        path = /home/shares/share1
        force security mode = 0
        directory mask = 2770
        comment = Samba Test Share

[global]
        log file = /var/log/samba.log
        ldap user suffix = ou=People
        passwd chat = *new password* %n\n *retype password* %n\n
*changed*
        idmap gid = 10000-20000
        logon drive = z:
        ldap password sync = yes
        domain master = yes
        wins proxy = no
        passdb backend = ldapsam:ldap://127.0.0.1:389
        wins support = yes
        ldap delete dn = Yes
        server string = Samba Server
        ldap machine suffix = ou=Computers
        ldap group suffix = ou=Groups
        idmap uid = 10000-20000
        logon script = netlogon.sh
        ldap suffix = dc=local,dc=loc
        local master = yes
        workgroup = SAMBAWORKGROUP
        ldap admin dn = cn=Administrator,ou=People,dc=local,dc=loc
        printcap name = cups
        security = user
        ldap idmap suffix = ou=Idmap
        preferred master = yes
        log level = 99
        domain logons = yes