Re: [Samba] samba 3.0.22 default ACL issue

Wed, 12 Jul 2006 08:52:33 -0700 

Thank you Simo.
Yes, in fact, I explain this behaviour like you said : windows changes ACLs to match that on it's own filesystem. But it's weird because : why only on directories ? And, if this is really a "feature" : is there any tricks to avoid it? like a registry key? Or do I need to use a windows server to play with active directory and security strategy? 

Sylvain.

simo a écrit :

Sylvain if I understand your problem correctly, you are getting problems
with a Windows "feature".

IIRC what happens is that when you copy a directory windows also changes
the ACLs to match that on it's own filesystem (if it recognizes that the
user belongs to the domain).

I don't think this is a samba problem.

Simo.

On Wed, 2006-07-12 at 17:12 +0200, [EMAIL PROTECTED]
wrote:

  

Hi,


I sent an email on the mailing list of bestsbits 
(http://acl.bestbits.at/pipermail/acl-devel/2006-July/001980.html) 
because if nobody answer on this mailing list , it's probably directly 
linked to ACLs?
But, I really don't know if the problem is only with bestsbits or only 
with samba because I can reproduce the bug only in samba, not in 
console. So this bug seems to be linked to samba ?



Am I the only one who would like to use ACLs ? Are there any other 
solution to have a fine grained access rules which works with samba? 
(like trustees)

because if default ACLs don't works, I think using ACLs is a no sense.


For the while - hopping sometime this bug will be fix -  I use a dirty 
script run by cron which check & fix ACLs.

I know it's dirty... but I have I any other choice ?

I give up with this mistery. I'm too tired.

[EMAIL PROTECTED] a écrit :

    

Hi,


I use samba 3.0.22 as PDC on Debian with workstations under windows XP 
SP1 and SP2.

I use ACLs to have a fine grained access rules.


When I copy a directory from a client to a samba share, default ACLs 
are forgiven.

exemple : after I copy the directory A on the samba share :
getfacl A/
# file: A/
# owner: user1
# group: sambausers
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---

But the parent directory has default ACLs, I can prove it :
getfacl .
# file: .
# owner: user1
# group: sambausers
user::rwx
user:root:rwx
user:bacula:r-x
group::---
group:sambaguests:rwx
group:User_Standard:rwx
group:User_Lead:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:bacula:r-x
default:group::---
default:group:sambaguests:rwx
default:group:User_Standard:rwx
default:group:User_Lead:rwx
default:mask::rwx
default:other::---


Is it a bug ? because default ACLs are applied if I copy files. So Why 
different behavior between directory and files ?
I noticed that it happened only to local directories which belong to 
MYDOMAIN\user.  If the owner of the local directory is 
LOCALCOMPUTER\user the default ACLs is applied correctly. But once 
again, it concerns only directory. When the file belong to 
MYDOMAIN\user ACLs are applied correctly.



All what I want is that default ACLs are applied all the time whatever 
the owner of local directory.



I try to play with "directory security mask", "force directory 
security mode", inherit permissions without success.

Thank you for your help, I really don't know what to do.

My smb.conf looks like that :


# 
----------------------------------------------------------------------------- 


# Global parameters

# 
----------------------------------------------------------------------------- 


[global]
       dos charset = 850
       unix charset = ISO8859-1
       workgroup = elb-lyon
       netbios name = server02
       server string = server02.elb-lyon
       os level = 65
       domain logons = Yes
       domain master = Yes
       local master = Yes
       preferred master = Yes
       wins support = Yes

       obey pam restrictions = Yes
       passdb backend = tdbsam, guest
       passwd program = /usr/bin/passwd %u

       passwd chat = *New*UNIX*password* %n\n 
*ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*

       passwd chat debug = Yes
       pam password change = Yes
       unix password sync = Yes

       syslog = 0
       log level = 2
       # log level max = 10
       log file = /var/log/samba/log.%m
       max log size = 25600
       dns proxy = No
       panic action = /usr/share/samba/panic-action %d
       invalid users = root2

       # paramètres samba utilisateur par defaut
       logon drive = P:
       logon home = \\server02\%U
       logon path = \\server02\profiles\%U
       logon script = %U.cmd

       # gestion des comptes posix automatique :)
       # Gestion des comptes POSIX

       add machine script = /usr/sbin/useradd -g sambamachines -c 
Machine -d /dev/null -s /bin/false '%u'
       add user script = /usr/sbin/useradd -g sambausers -c 
Utilisateur -d /dev/null -s /bin/false '%u'

       add group script = /usr/sbin/groupadd '%g'
       add user to group script = /usr/bin/gpasswd -a '%u' '%g'
       delete user script = /usr/sbin/userdel -r '%u'
       delete group script = /usr/sbin/groupdel '%g'
       delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
       set primary group script = /usr/sbin/usermod -g '%g' '%u'

       veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/

       guest account = guest

       hosts allow = 192.168.0. 127.


# 
----------------------------------------------------------------------------- 


# Necessaire Domaine

# 
----------------------------------------------------------------------------- 


[homes]
       path = /mnt/SAN01/vd3_home2/home2/%u
       comment = Home Directories
       valid users = %S
       guest ok = No
       writable = Yes
       create mask = 0700
       directory mask = 0700
       browseable = No

[netlogon]
       path = /mnt/SAN01/vd3_home2/netlogon
       comment = Partage NetLogon
       valid users = @sambausers @sambaguests root
       guest ok = No
       read only = Yes
       browseable = No

[profiles]
       path = /mnt/SAN01/vd3_home2/profiles
       comment = Profils utilisateurs
       valid users = @sambausers @sambaguests root
       guest ok = No
       writable = Yes
       create mode = 0700
       browseable = No


# 
----------------------------------------------------------------------------- 


# Partages

# 
----------------------------------------------------------------------------- 


[vd1_echange]
       comment = Zone d'echange.
       path = /mnt/SAN01/vd1_echange
       valid users = root @sambaadmins @sambaguests @User_Standard
       guest ok = No
       writable = Yes
       create mask = 0770
       directory mask = 0770
       browseable = yes
       # inherit permissions = yes
       inherit acls = yes
       hide unreadable = Yes
       # directory security mask = 0000
       # force directory security mode = 0777




      

--
Sylvain DAVID / administrateur réseau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(°)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --


    


--
Sylvain DAVID / administrateur réseau

        adr : Etranges Libellules
 .~.          17 Rue des Archers
 /v\          69002 LYON
/(°)\   tel : 04 72 40 24 72
^^-^^   fax : 04 72 40 27 19

 www.etranges-libellules.fr
                                  --

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to