[Samba] ACL strange behaviour - Samba

This is a discussion on [Samba] ACL strange behaviour - Samba ; hi, i'm experiencing a strange behaviour when setting ACL from Windows XP clients (server is BDC with LDAP) after migrating service from SLES 9.3 to SLES 10.1: i can't set ACL to a folder to give access to individual users ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: [Samba] ACL strange behaviour

  1. [Samba] ACL strange behaviour

    hi,

    i'm experiencing a strange behaviour when setting ACL from Windows XP
    clients (server is BDC with LDAP) after migrating service from SLES 9.3
    to SLES 10.1:

    i can't set ACL to a folder to give access to individual users without
    allowing the group of the creator. step by step, i tried to remove group
    permissions (which worked fine) but, when i add permissions to other
    users, group permissions become effective for the group in the
    directory (but no in its subfolders)

    the correct behaviour is that i can allow access to several users
    without access for the group, and this was working after the migration.

    it could be a different ACL behaviour between SLES 9 (Samba
    3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba 3.0.28-0.2-1625-SUSE-CODE10)?

    how i can get ACL working if so?

    information about my configuration:
    * users become to a common group (ie, group1) to get access to shares
    * shares are 770 (owner root, group group1)
    * smb config for shares:
    [test]
    path = /data/test
    read only = no
    browseable = no
    create mask = 0660
    directory mask = 0770
    write list = @GROUP1
    read list = @GROUP1
    force group = GROUP1
    valid users = @GROUP1, @"Domain Admins"
    * smb global config (relevant)
    [global]
    netbios name = server
    workgroup = wg
    security = user
    os level = 45
    preferred master = no
    domain master = no
    local master = yes
    mangling method = hash2
    encrypt passwords = yes
    domain logons = yes
    logon path =
    passdb backend = ldapsam:"ldap://localhost"
    ldap suffix = dc=wg,dc=intranet
    ldap admin dn = cn=Manager,dc=wg,dc=intranet
    ldap ssl = yes
    ldap machine suffix = ou=Machines
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap passwd sync = Yes
    ldap delete dn = Yes
    enable privileges = yes
    unix password sync = no
    unix extensions = no
    nt acl support = yes
    inherit acls = yes


    thanks in advance,

    toni
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] ACL strange behaviour

    On Fri, Apr 4, 2008 at 7:39 AM, toni wrote:
    > hi,
    >
    > i'm experiencing a strange behaviour when setting ACL from Windows XP
    > clients (server is BDC with LDAP) after migrating service from SLES 9.3
    > to SLES 10.1:
    >
    > i can't set ACL to a folder to give access to individual users without
    > allowing the group of the creator. step by step, i tried to remove group
    > permissions (which worked fine) but, when i add permissions to other
    > users, group permissions become effective for the group in the
    > directory (but no in its subfolders)
    >
    > the correct behaviour is that i can allow access to several users
    > without access for the group, and this was working after the migration.
    >
    > it could be a different ACL behaviour between SLES 9 (Samba
    > 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba 3.0.28-0.2-1625-SUSE-CODE10)?
    >
    > how i can get ACL working if so?
    >
    > write list = @GROUP1
    > read list = @GROUP1
    > force group = GROUP1
    > valid users = @GROUP1, @"Domain Admins"


    It may be just my testing but I have found when you force things like
    this (and don't just use the unix file system permissions to do the
    same thing) the acls do not work as expected.

    John
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] ACL strange behaviour

    hi john,

    El Fri, 04 Apr 2008 09:12:38 -0400
    John Drescher ha escrit:

    > On Fri, Apr 4, 2008 at 7:39 AM, toni wrote:
    > > hi,
    > >
    > > i'm experiencing a strange behaviour when setting ACL from Windows
    > > XP clients (server is BDC with LDAP) after migrating service from
    > > SLES 9.3 to SLES 10.1:
    > >
    > > i can't set ACL to a folder to give access to individual users
    > > without allowing the group of the creator. step by step, i tried to
    > > remove group permissions (which worked fine) but, when i add
    > > permissions to other users, group permissions become effective for
    > > the group in the directory (but no in its subfolders)
    > >
    > > the correct behaviour is that i can allow access to several users
    > > without access for the group, and this was working after the
    > > migration.
    > >
    > > it could be a different ACL behaviour between SLES 9 (Samba
    > > 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba
    > > 3.0.28-0.2-1625-SUSE-CODE10)?
    > >
    > > how i can get ACL working if so?
    > >
    > > write list = @GROUP1
    > > read list = @GROUP1
    > > force group = GROUP1
    > > valid users = @GROUP1, @"Domain Admins"

    >
    > It may be just my testing but I have found when you force things like
    > this (and don't just use the unix file system permissions to do the
    > same thing) the acls do not work as expected.


    i don't understand what you mean with "just use the unix file system
    permissions":

    # ls -l /data
    total 4
    drwxrwx--- 6 root GROUP1_W 4096 Apr 4 15:20 test

    filesystem is ext3 (also tested with xfs with same result) with acl
    enabled (of course)

    more information, in some shares i'm using readonly and readwrite
    groups:
    write list = @GROUP1_W
    read list = @GROUP1_R
    force group = GROUP1_W
    valid users = @GROUP1_R, @GROUP1_W, @"Domain Admins"

    i need to use 'force group' to ensure that users in the same
    (readwrite) group get access to every file created by any other group
    member in the share.

    example of an operation:

    * create a folder inside this share (no ACL in the newly created folder)

    $ getfacl /data/test/folder
    # file: data/test/folder
    # owner: USER1
    # group: GROUP1_W
    user::rwx
    group::rwx
    other::---

    * remove group permissions via Windows XP ACL editor (must be
    done denying every Windows ACL for the group):

    $ getfacl /data/test/folder
    # file: data/test/folder
    # owner: USER1
    # group: GROUP1_W
    user::rwx
    user:root:rwx
    group::---
    mask::rwx
    other::---
    default:user::rwx
    default:group::---
    defaultther::---

    * add permissions for USER2:

    $ getfacl /data/test/folder
    # file: data/test/folder
    # owner: USER1
    # group: GROUP1_W
    user::rwx
    user:root:rwx
    user:USER2:r-x
    group::rwx
    mask::rwx
    other::---
    default:user::rwx
    default:user:USER2:r-x
    default:group::---
    default:mask::rwx
    defaultther::---

    as you can see, group permissions 'come back' after adding permission
    for USER2!

    i recall this was working with samba on SLES 9.3, so i think it may be
    possible on a newer version of samba 3.0.20b (from SLES 9.3)

    thanks,

    toni


    > John

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] ACL strange behaviour

    Hi Toni.


    El Viernes, 4 de Abril de 2008, toni escribió:
    > hi john,
    >
    > El Fri, 04 Apr 2008 09:12:38 -0400
    >
    > John Drescher ha escrit:
    > > On Fri, Apr 4, 2008 at 7:39 AM, toni wrote:
    > > > hi,
    > > >
    > > > i'm experiencing a strange behaviour when setting ACL from Windows
    > > > XP clients (server is BDC with LDAP) after migrating service from
    > > > SLES 9.3 to SLES 10.1:
    > > >
    > > > i can't set ACL to a folder to give access to individual users
    > > > without allowing the group of the creator. step by step, i tried to
    > > > remove group permissions (which worked fine) but, when i add
    > > > permissions to other users, group permissions become effective for
    > > > the group in the directory (but no in its subfolders)
    > > >
    > > > the correct behaviour is that i can allow access to several users
    > > > without access for the group, and this was working after the
    > > > migration.
    > > >
    > > > it could be a different ACL behaviour between SLES 9 (Samba
    > > > 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba
    > > > 3.0.28-0.2-1625-SUSE-CODE10)?
    > > >



    We had the same problems, finally we have downgrade our samba to 3.0.24 wich
    is SLES 10 + SP1 base version.

    I had tested with 3.0.25 and 3.0.28 and had problems, also with domain trust
    with an NT domain


    Greetings


    --
    Un saludo.

    Carlos Lorenzo Matés.
    clmates AT mundo-r.com

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQBH9nu5zb+zPFkBQr8RAhWtAJ41BZDZCduTgf5Rn7P3Rf zbAFJmJwCeLqqU
    a7ViggfBONDdVa90U2/2P/E=
    =8nAO
    -----END PGP SIGNATURE-----


  5. Re: [Samba] ACL strange behaviour

    El Fri, 04 Apr 2008 21:04:21 +0200
    Carlos Lorenzo Matés ha escrit:

    > Hi Toni.
    >
    >
    > El Viernes, 4 de Abril de 2008, toni escribió:
    > > hi john,
    > >
    > > El Fri, 04 Apr 2008 09:12:38 -0400
    > >
    > > John Drescher ha escrit:
    > > > On Fri, Apr 4, 2008 at 7:39 AM, toni wrote:
    > > > > hi,
    > > > >
    > > > > i'm experiencing a strange behaviour when setting ACL from
    > > > > Windows XP clients (server is BDC with LDAP) after migrating
    > > > > service from SLES 9.3 to SLES 10.1:
    > > > >
    > > > > i can't set ACL to a folder to give access to individual users
    > > > > without allowing the group of the creator. step by step, i
    > > > > tried to remove group permissions (which worked fine) but, when
    > > > > i add permissions to other users, group permissions become
    > > > > effective for the group in the directory (but no in its
    > > > > subfolders)
    > > > >
    > > > > the correct behaviour is that i can allow access to several
    > > > > users without access for the group, and this was working after
    > > > > the migration.
    > > > >
    > > > > it could be a different ACL behaviour between SLES 9 (Samba
    > > > > 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba
    > > > > 3.0.28-0.2-1625-SUSE-CODE10)?
    > > > >

    >
    >
    > We had the same problems, finally we have downgrade our samba to
    > 3.0.24 wich is SLES 10 + SP1 base version.


    verified, it works with 3.0.24!
    (SLES 10 + SP1, with codename: Samba 3.0.24-2.36-1616-SUSE-CODE10)

    do you know if this issue were reported to samba, i cannot find any ACL
    related bug in samba's bugtracker.

    if not i will fill a bug report.

    thanks for all,

    toni

    >
    > I had tested with 3.0.25 and 3.0.28 and had problems, also with
    > domain trust with an NT domain
    >
    >
    > Greetings
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] ACL strange behaviour

    El Lunes, 7 de Abril de 2008, toni escribió:
    > El Fri, 04 Apr 2008 21:04:21 +0200
    >
    > Carlos Lorenzo Matés ha escrit:
    > > Hi Toni.
    > >
    > > El Viernes, 4 de Abril de 2008, toni escribió:
    > > > hi john,
    > > >
    > > > El Fri, 04 Apr 2008 09:12:38 -0400
    > > >
    > > > John Drescher ha escrit:
    > > > > On Fri, Apr 4, 2008 at 7:39 AM, toni wrote:
    > > > > > hi,
    > > > > >
    > > > > > i'm experiencing a strange behaviour when setting ACL from
    > > > > > Windows XP clients (server is BDC with LDAP) after migrating
    > > > > > service from SLES 9.3 to SLES 10.1:
    > > > > >
    > > > > > i can't set ACL to a folder to give access to individual users
    > > > > > without allowing the group of the creator. step by step, i
    > > > > > tried to remove group permissions (which worked fine) but, when
    > > > > > i add permissions to other users, group permissions become
    > > > > > effective for the group in the directory (but no in its
    > > > > > subfolders)
    > > > > >
    > > > > > the correct behaviour is that i can allow access to several
    > > > > > users without access for the group, and this was working after
    > > > > > the migration.
    > > > > >
    > > > > > it could be a different ACL behaviour between SLES 9 (Samba
    > > > > > 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba
    > > > > > 3.0.28-0.2-1625-SUSE-CODE10)?

    > >
    > > We had the same problems, finally we have downgrade our samba to
    > > 3.0.24 wich is SLES 10 + SP1 base version.

    >
    > verified, it works with 3.0.24!
    > (SLES 10 + SP1, with codename: Samba 3.0.24-2.36-1616-SUSE-CODE10)
    >
    > do you know if this issue were reported to samba, i cannot find any ACL
    > related bug in samba's bugtracker.
    >
    > if not i will fill a bug report.


    No, but i opened some bug reports with novell (i had a premium service for
    support), and they have not been able to solve this, i think that novell is
    involved in the samba development, but i dont' know if they had reported this
    problem to the samba devs.

    if you open the bug, please put the link here and i will add the information i
    sent to novell regarding this bug.

    also i think you sould report this to novell if you have a SLES


    Thanks





    --
    Un saludo.

    Carlos Lorenzo Matés.
    clmates AT mundo-r.com

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.4-svn0 (GNU/Linux)

    iD8DBQBH+nXlzb+zPFkBQr8RAkFJAJwL9zBaXnOv8TcE9FsP8x ibfYD7eACfQmrI
    dBeoxI3qmtZlHyJBzRaWY58=
    =mPAS
    -----END PGP SIGNATURE-----


+ Reply to Thread