Re: [Samba] ACLs under Samba 3.3.0

Fri, 30 Jan 2009 13:12:17 -0800 

Miguel Medalha wrote:



Much of the ACL code has been rewritten to allow underlying
filesystems to implement "native" NT ACLs directly (...)


Good!


but the functionality should be the same as 3.2.x when not
using the "experimental" ACL modules.


  



I am not using the ACL modules and the functionality is definitely NOT 
the same. My users complained immediately.




We've been working to implement Samba 3.3 at our site since December. 
We saw the same behaviour that Miguel describes since RC2, and we see it 
today in a test with the final 3.3.0 release.



We opened a bug report, #6005, but we didn't have a chance to post the 
debug logs that Volcker requested, and it's closed, now.  We will 
probably do that next week and reopen it.  Here's the link: 
https://bugzilla.samba.org/show_bug.cgi?id=6005



I would describe the problem *slightly* differently from Miguel.  I do 
not think that ACLs are the real problem, because the bug behaviour 
exists regardless of whether you're using filesystem ACLs or not.



The problem seems to be that the configuration option 'acl map full 
control' isn't working anymore under 3.3.  This option took me a long 
time to understand, because it refers to Windows ACLs, not filesystem 
ACLs.  If the option is set (which is the default under both 3.2.7 and 
3.3.0), a user with 'rwx' UNIX permissions should get 'Full Control' 
rights under Windows.  This is regardless of whether the 'rwx' 
permissions come from the base UNIX permissions or POSIX ACLs.



3.2.7 works as the man page describes, but 3.3.0 does not.  Under 3.3.0, 
a user with 'rwx' will have every Windows right except for 'Delete' and 
'Full Control'.  Even the file's owner will lack those two rights. 
Nonetheless, the owner will be able to delete or rename the file, but 
not any other users, even if they apparently have identical rights.



Also, this behaviour seems to persist whether you explicitly turn 'acl 
map full control' on or off.  We also tried a few dozen combinations of 
other permission, ownership, and ACL-related options in 'smb.conf', and 
none of them worked.


-Ryan


--

Ryan B. Lynch
Engineer
Innovative Discovery, LLC
http://www.id-edd.com/
347.633.0512
ryan.ly...@id-edd.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to