[Acl-Devel] default ACL issue on Debian + kernel 2.6.12.6 + Samba 3.0.22 + ext3

sylvain.david@etranges-libellules.fr sylvain.david at etranges-libellules.fr
Fri Jul 7 09:08:24 CEST 2006 

Hi,

I use samba 3.0.22 as PDC on Debian with workstations under windows XP 
SP1 and SP2.
The server is a Debian Sarge with  a custom kernel 2.6.12.6.
File system is ext3.
I use ACLs to have a fine grained access rules.
I tried the samba mailing list, but after reading 
http://acl.bestbits.at/pipermail/acl-devel/2005-January/001817.html I 
prefer post to this mailing list :)
So :

When I copy a directory from a client to a samba share, default ACLs are 
forgiven.
exemple : after I copy the directory A on the samba share :
getfacl A/
# file: A/
# owner: user1
# group: sambausers
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::---

But the parent directory has default ACLs, I can prove it :
getfacl .
# file: .
# owner: user1
# group: sambausers
user::rwx
user:root:rwx
user:bacula:r-x
group::---
group:sambaguests:rwx
group:User_Standard:rwx
group:User_Lead:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:bacula:r-x
default:group::---
default:group:sambaguests:rwx
default:group:User_Standard:rwx
default:group:User_Lead:rwx
default:mask::rwx
default:other::---

Is it a bug ? because default ACLs are applied if I copy files. So Why 
different behavior between directory and files ?
I noticed that it happened only to local directories which belong to 
MYDOMAIN\user.  If the owner of the local directory is 
LOCALCOMPUTER\user the default ACLs is applied correctly. But once 
again, it concerns only directory. When the file belong to MYDOMAIN\user 
ACLs are applied correctly.

All what I want is that default ACLs are applied all the time whatever 
the owner of local directory.

I try to play with "directory security mask", "force directory security 
mode", inherit permissions without success.
Thank you for your help, I really don't know what to do.

If it can help, my smb.conf looks like that :

# 
----------------------------------------------------------------------------- 

# Global parameters
# 
----------------------------------------------------------------------------- 

[global]
      dos charset = 850
      unix charset = ISO8859-1
      workgroup = elb-lyon
      netbios name = server02
      server string = server02.elb-lyon
      os level = 65
      domain logons = Yes
      domain master = Yes
      local master = Yes
      preferred master = Yes
      wins support = Yes

      obey pam restrictions = Yes
      passdb backend = tdbsam, guest
      passwd program = /usr/bin/passwd %u
      passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* 
%n\n *passwd:*all*authentication*tokens*updated*successfully*
      passwd chat debug = Yes
      pam password change = Yes
      unix password sync = Yes

      syslog = 0
      log level = 2
      # log level max = 10
      log file = /var/log/samba/log.%m
      max log size = 25600
      dns proxy = No
      panic action = /usr/share/samba/panic-action %d
      invalid users = root2

      # paramètres samba utilisateur par defaut
      logon drive = P:
      logon home = \\server02\%U
      logon path = \\server02\profiles\%U
      logon script = %U.cmd

      # gestion des comptes posix automatique :)
      # Gestion des comptes POSIX
      add machine script = /usr/sbin/useradd -g sambamachines -c 
Machine -d /dev/null -s /bin/false '%u'
      add user script = /usr/sbin/useradd -g sambausers -c Utilisateur 
-d /dev/null -s /bin/false '%u'
      add group script = /usr/sbin/groupadd '%g'
      add user to group script = /usr/bin/gpasswd -a '%u' '%g'
      delete user script = /usr/sbin/userdel -r '%u'
      delete group script = /usr/sbin/groupdel '%g'
      delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
      set primary group script = /usr/sbin/usermod -g '%g' '%u'

      veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/

      guest account = guest

      hosts allow = 192.168.0. 127.

# 
----------------------------------------------------------------------------- 

# Necessaire Domaine
# 
----------------------------------------------------------------------------- 

[homes]
      path = /mnt/SAN01/vd3_home2/home2/%u
      comment = Home Directories
      valid users = %S
      guest ok = No
      writable = Yes
      create mask = 0700
      directory mask = 0700
      browseable = No

[netlogon]
      path = /mnt/SAN01/vd3_home2/netlogon
      comment = Partage NetLogon
      valid users = @sambausers @sambaguests root
      guest ok = No
      read only = Yes
      browseable = No

[profiles]
      path = /mnt/SAN01/vd3_home2/profiles
      comment = Profils utilisateurs
      valid users = @sambausers @sambaguests root
      guest ok = No
      writable = Yes
      create mode = 0700
      browseable = No

# 
----------------------------------------------------------------------------- 

# Partages
# 
----------------------------------------------------------------------------- 

[vd1_echange]
      comment = Zone d'echange.
      path = /mnt/SAN01/vd1_echange
      valid users = root @sambaadmins @sambaguests @User_Standard
      guest ok = No
      writable = Yes
      create mask = 0770
      directory mask = 0770
      browseable = yes
      # inherit permissions = yes
      inherit acls = yes
      hide unreadable = Yes
      # directory security mask = 0000
      # force directory security mode = 0777


-- 
Sylvain DAVID / administrateur réseau

         adr : Etranges Libellules
  .~.          17 Rue des Archers
  /v\          69002 LYON
 /(°)\   tel : 04 72 40 24 72
 ^^-^^   fax : 04 72 40 27 19

  www.etranges-libellules.fr
                                   --

More information about the acl-devel mailing list