[Samba] Inherited ACLs can not be removed on Solaris10 sparc
Hi, I have a problem with the removal of inheritance ACLs of subdirectories. It almost sounds like only adding ACLs work but removals of inheritance ACL's not. By default the access rights (including ACLs) should be inherited, but it should also be possible to remove the access rights from any subdirectory. This is what I am trying to do, I have a share called media with some users / groups, all permissions from the media share (folder) is in inherited to any folder created below which works (below), The problem is when I try to remove access rights using windows XP right click security tab the remove doesn't work. [EMAIL PROTECTED] # getfacl /data1/shared/media # file: /data1/shared/media # owner: usera # group: root user::rwx user:userb:rwx #effective:rwx user:userc:rwx #effective:rwx group::rwx #effective:rwx mask:rwx other:rwx - [EMAIL PROTECTED] /data1/shared/media # getfacl New\ Folder # file: New Folder # owner: usera # group: groupa user::rwx user:userb:rwx #effective:rwx user:userb:rwx #effective:rwx group::rwx #effective:rwx group:root:rwx #effective:rwx mask:rwx other:rwx - This is what I tried and didn't work, Right click on a folder as usera click Properties -tab Security - select an inheritance user click remove button, the following will happen the entry disappear as expected. then clicking the apply button the entry is back in the list, It looks like something is disallowing the remove of the the inherited access rights, I have tried the same thing with commend line using setfacl -d u:userb::rwx New\ Folder and it works without a problem, so I am not sure what I am doing wrong? My smb.conf is below. Any help is greatly appreciated. -Eli --- Samba version: 3.0.28 (included with Solaris10 5/08) Using UFS file system cat smb.conf --- [global] workgroup = organization netbios name = hosta realm = DOMAIN.LOCAL server string = Samba domain (%h) use kerberos keytab = true local master = no domain master = no guest account = guestacc security = ADS host msdfs = yes log level = 3 max log size = 500 ;;; LDAP Section ;;; ;enable privileges = yes ldap admin dn = cn=samba,ou=profile,dc=bnh,dc=com ldap suffix = o=domain.com,dc=domain,dc=com passdb backend = ldapsam:ldap://ldap1.bnh.com:389; ldap user suffix = ou=People ldap group suffix = ou=Group ldap machine suffix = ou=Hosts ldap ssl = no ;;; Printing Section ;;; printing = bsd show add printer wizard = yes printcap name = /etc/printers.conf lpq cache time = 30 client use spnego = yes deadtime = 30 [media] comment = Media Share path = /data1/shared/media writable = yes create mask = 0777 force create mode = 0777 directory mask = 0777 inherit permissions = Yes inherit acls = Yes inherit owner = yes -- Eli Kleinman BH Photo Video, Inc. 420 9TH Avenue New York, NY 10001 USA Phone: 212-239-7500 Ext.2154 Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Inherited ACLs can not be removed
Hi, I have more information about the problem: a) It does not have to do anything with inheritance b) adding ACLs works c) removing ACLs does not work (with a 'real' Windows client) I did the following test: - access rights: drwxrws--- 2 crunchy Share Admins 1024 2008-05-23 21:45 /shares/finanzen/ - add r-x rights for Domain Users with a Windows XP Client (logged in as crunchy) - works - remove access rights for Domain Users - does not work I repeated the test with smbcacls: - smbcacls -U crunchy -a ACL:Domain\ Users:ALLOWED/2/READ //qamaster/finanzen / - smbcacls -U crunchy //qamaster/finanzen / Password: REVISION:1 OWNER:UNIVENTION+crunchy GROUP:UNIVENTION+Share Admins ACL:UNIVENTION+crunchy:ALLOWED/0/FULL ACL:UNIVENTION+Domain Users:ALLOWED/0/READ ACL:UNIVENTION+Share Admins:ALLOWED/0/FULL ACL:+Everyone:ALLOWED/0/FULL - smbcacls -U crunchy -D ACL:Domain\ Users:ALLOWED/0/READ //qamaster/finanzen / Password: - smbcacls -U crunchy //qamaster/finanzen / Password: REVISION:1 OWNER:UNIVENTION+crunchy GROUP:UNIVENTION+Share Admins ACL:UNIVENTION+crunchy:ALLOWED/0/FULL ACL:UNIVENTION+Share Admins:ALLOWED/0/FULL ACL:+Everyone:ALLOWED/0/FULL With smbcacls it works, but not with the Windows XP Client. BTW I'm using samba version 3.0.26a any idea? regards Andreas -- Andreas Büsching [EMAIL PROTECTED] fon: +49 421 22 232- 0 EntwicklungLinux for Your Business Univention GmbHhttp://www.univention.de/ fax: +49 421 22 232-99 signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Inherited ACLs can not be removed
Hi, I have a problem with the inheritance of ACLs, respectively the removal of the inherited ACLs in subdirectories. The following szenario: By default the access rights (including ACLs) should be inherited, but it should also be possible to remove the access rights from any subdirectory. Therefore I've set up the following configuration: [Finanzen] path = /shares/finanzen msdfs root = no writeable = yes browseable = yes public = no create mode = 0744 directory mode = 0755 force create mode = 00 force directory mode = 00 security mask = 0777 directory security mask = 0777 force security mode = 00 force directory security mode = 00 locking = 1 blocking locks = 1 strict locking = 0 oplocks = 1 level2 oplocks = 1 fake oplocks = 0 csc policy = manual nt acl support = 1 inherit acls = 1 inherit owner = no inherit permissions = yes dos filemode = no [EMAIL PROTECTED]:/shares# getfacl finanzen/ # file: finanzen # owner: crunchy # group: Share\040Admins user::rwx group::rwx group:Domain\040Users:r-- mask::rwx other::--- default:user::rwx default:group::--- default:group:Domain\040Users:r-- default:mask::rwx default:other::--- The ACLs for Domain Users were set with a Windows client after that a subdirectory TEST01 was created (BTW the group sticky bit is set): [EMAIL PROTECTED]:/shares# getfacl finanzen/TEST01/ # file: finanzen/TEST01 # owner: crunchy # group: Share\040Admins user::rwx user:root:rwx group::rwx group:Domain\040Users:r-- mask::rwx other::--- default:user::rwx default:group::--- default:group:Domain\040Users:r-- default:mask::rwx default:other::--- When I try to remove the access rights for Domain Users on TEST01 (via Properties-tab Security-button Advanced...) the following happens: clicking the remove button results in the disappearance of the entry; as expected. After clicking the apply button the entry is back again in the list. It looks like 'inherit acls' does not allow removing the inherited access rights on subdirectories. When I remove the access to TEST01 for Domain Users with setfacl [-d] -x ... (POSIX ACLs and Default POSIX ACLs) and add any other access right to the directory via Windows the access rights for Domain Users are added again. Has anyone an idea why this happens? Is there a mistake in my configuration? If you need any further information just ask. thanks in advance Andreas -- Andreas Büsching [EMAIL PROTECTED] fon: +49 421 22 232- 0 EntwicklungLinux for Your Business Univention GmbHhttp://www.univention.de/ fax: +49 421 22 232-99 signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba