Hi, Since 3.2.4 (maybe earlier, but I doubt it), one important feature does not work anymore for me: I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the "Advanced" dialog of the Windows ACL editor and unchecked the flag "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here". Afterwards, I could remove or change ACLs as needed. If I do this now, ACLs that exist on the next higher directory level re-appear after having deleted them. Are there changed configuration options or am I missing something else here? Breaking inheritance is very important in our system as we often need to restrict access to subdirectories. At the moment, I can only try to modify ACLs on the Linux level in order to get the desired behavior. Thanks in advance for help Peter Rindfuss
On Tue, Nov 04, 2008 at 02:16:24PM +0100, Peter Rindfuss wrote:> Hi, > > Since 3.2.4 (maybe earlier, but I doubt it), one important feature does > not work anymore for me: > > I cannot break ACL inheritance anymore in the Windows ACL editor. With > previous Samba versions, I entered the "Advanced" dialog of the Windows > ACL editor and unchecked the flag "Inherit from parent the permission > entries that apply to child objects. Include these with entries > explicitly defined here". Afterwards, I could remove or change ACLs as > needed. If I do this now, ACLs that exist on the next higher directory > level re-appear after having deleted them. > > Are there changed configuration options or am I missing something else here? > > Breaking inheritance is very important in our system as we often need to > restrict access to subdirectories. > > At the moment, I can only try to modify ACLs on the Linux level in order > to get the desired behavior.Can you help me determine when this behavior changed ? 3.2.3 has a small change here that might affect this, but I'd be very interested to know if this was in 3.2.0, 3.2.1 or 3.2.3 (when it was introduced). I'm travelling at the moment with no access to Windows VM's to test this with, so if you need me to reproduce it'll have to wait until next monday (US Pacific time). Jeremy.
On 2008-11-04 22:55, Jeremy Allison wrote:> On Tue, Nov 04, 2008 at 04:23:03PM +0100, Peter Rindfuss wrote: > >> Sorry, not possible. 3.2.x was introduced here when upgrading from Suse >> 10.0 to OpenSuse 11.0. OpenSuse 11 comes with 3.2.0, I think, but when >> we went to production use, we already had installed 3.2.4. That was 2 >> weeks ago. >> The "(maybe earlier, but I doubt it)" in my original post makes no sense >> as we did not test it with any earlier version than 3.2.4. >> >> I found some possibly discussion at >> http://webui.sourcelabs.com/samba/issues/5052 > > Ok, thanks. Can you log a bug for me at bugzilla.samba.org > so I can track this when I get back to the USA. >See bug 5873: https://bugzilla.samba.org/show_bug.cgi?id=5873 Best, Peter
Hi Peter/Jeremy, I do have the same problem. I am going to try with 3.2.2 and let you know how it works. Thank you, Chandra -----Original Message----- From: Peter Rindfuss [mailto:rindfuss@wzb.eu] Sent: Wednesday, November 05, 2008 6:32 AM To: Jeremy Allison; samba Subject: Re: [Samba] 3.2.4 ACL inheritance trouble On 2008-11-04 22:55, Jeremy Allison wrote:> On Tue, Nov 04, 2008 at 04:23:03PM +0100, Peter Rindfuss wrote: > >> Sorry, not possible. 3.2.x was introduced here when upgrading fromSuse>> 10.0 to OpenSuse 11.0. OpenSuse 11 comes with 3.2.0, I think, butwhen>> we went to production use, we already had installed 3.2.4. That was 2>> weeks ago. >> The "(maybe earlier, but I doubt it)" in my original post makes nosense>> as we did not test it with any earlier version than 3.2.4. >> >> I found some possibly discussion at >> http://webui.sourcelabs.com/samba/issues/5052 > > Ok, thanks. Can you log a bug for me at bugzilla.samba.org > so I can track this when I get back to the USA. >See bug 5873: https://bugzilla.samba.org/show_bug.cgi?id=5873 Best, Peter