samba - Jun 2011 - Different permissions displayed in "security" tab and "advanced" tab

Hello everyone,

Got a weird ACL issue:

First of all, my Linux host is fully ACL enabled (kernel support, file
system support, mount with xattr, library support, samba compilation
support, all set).

Then a share is created with vfs acl_xattr and ea support on, got mounted on
a Windows client as administrator, and a directory created right under the
drive. The issue is when I was checking out the security tab, as can be seen
from attached screenshot, the administrator is displayed with no permission
at all (nothing ticked) in the basic security tab, whereas the advanced tab
shows the administrator with full control, which is self-contradictory and
confusing. I then try to grant some permission to administrator by ticking
and clicking apply, failed with the error "can't save the changes...
the
parameter is invalid".

I do suppose full control is correct because I can read, write and
everything under the directory, plus getfacl from Linux side demonstrated
that administrator is actually with "rwx" on the newly created
directory.

Any idea why is this? Thanks in advance.

p.s. I have no problem adding/granting additional ACLs for users other than
administrator.

Regards
-David

David,

Samba does not have the ability to change the permissions of directories 
on the security tab, and many times they will not be displayed either.  
As you have already discovered, permissions on directories are changed 
in Advanced.  The permissions of files can be manipulated on the 
security tab.

Dale


On 06/22/2011 4:28 AM, David Roid wrote:
> Hello everyone,
>
> Got a weird ACL issue:
>
> First of all, my Linux host is fully ACL enabled (kernel support, file
> system support, mount with xattr, library support, samba compilation
> support, all set).
>
> Then a share is created with vfs acl_xattr and ea support on, got mounted
on
> a Windows client as administrator, and a directory created right under the
> drive. The issue is when I was checking out the security tab, as can be
seen
> from attached screenshot, the administrator is displayed with no permission
> at all (nothing ticked) in the basic security tab, whereas the advanced tab
> shows the administrator with full control, which is self-contradictory and
> confusing. I then try to grant some permission to administrator by ticking
> and clicking apply, failed with the error "can't save the
changes... the
> parameter is invalid".
>
> I do suppose full control is correct because I can read, write and
> everything under the directory, plus getfacl from Linux side demonstrated
> that administrator is actually with "rwx" on the newly created
directory.
>
> Any idea why is this? Thanks in advance.
>
> p.s. I have no problem adding/granting additional ACLs for users other than
> administrator.
>
> Regards
> -David

Dale Schroeder wrote:
> On 06/24/2011 12:11 AM, Linda W wrote:
> David was trying to view and change permissions on a user that was 
> already listed on the security tab; he was not adding a user or group.
----
	I did this just now, changed it to full control for the one listed
user and group and 'Everyone'...  I then told it to propagate ....
it did, but visiting a sub folder doesn't have the 'propagated from
parent'
message.

	But the perms got changed with the exception of trying to delete
'Creator_owner and 'creator_group'...they see to not be deletable.

I haven't tested the full extent of changing 'creator-owner/group',
but
the user and group that are listed as the creator owner&group is changeable.

> If yours looks like mine, the permissions of the user and group defined 
> as the posix owner and group are blanked out, and if  you try to mark 
> anything there, it will fail.
---
	They are not blanked out -- they say 'special' because they only 
apply to the current folder (and are not propagated).  Otherwise they say
'Full control' which is what the user has....but the user's perms
can
be set to 'full control' on the security and permisions page because you
can set the user and group id's to have Full control that is inheritable
on the subdirs and file.  But right now, unix doesn't support have the
'inherited from' information set....(because the acls are set on each
item,
whereas on NT may files can share 1 access list.  Much like on linux,
already, multiple names can point to the same inode.

> Sometimes, there will be an error window popup; other times, the checked 
> Like you, I have the drive mounted with user_xattr and acl. 
---
	My mount options include no user_xattr or acl options  (they aren't
'options' in xfs but 'features', like unix permission bits -
they don't
have to be specified to be turned on).
> This is a long standing difference between Samba and native MS, more of 
> an annoyance than a problem.
> I have read that Samba is working on full acl compatibility with MS, I 
> think in 3.6.  We'll have to wait and see if this corrects the
differences.

I'm currently running 3.6, so maybe that explains some of the 
differences we are seeing...