SAMBA only blocks/stop listing folders when the user has been denied for all of the three mentioned permissions. 1) List folder/read data. 2) Read attributes. 3) Read Extended attributes. SAMBA does allows to list the folders/files for a user who has been denied by at least any one of the above permissions listed. Note: Windows avoid displaying/rendering folders for a user who has been denied for any one of the above permissions listed. Expectation: SAMBA also should behave the same way like windows does.
OK, it looks like we need to check for: FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES | SEC_STD_READ_CONTROL in this: bash-4.0$ diff -up smbd/dir.c smbd/dir.c.fix --- smbd/dir.c 2013-11-05 22:42:44.565464984 -0800 +++ smbd/dir.c.fix 2013-11-05 22:42:31.751405097 -0800 @@ -1185,7 +1185,7 @@ static bool user_can_read_file(connectio return True; } - return can_access_file_acl(conn, smb_fname, FILE_READ_DATA); + return can_access_file_acl(conn, smb_fname, (FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES)); } (This patch was suggested by Partha but it needs one more permission by the look of things.)
A test: Here is my test case: C:\New folder>icacls * New folder KUMO\administrator:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) KUMO\Domain Users:(I)(OI)(CI)(RX) New folder (2) KUMO\administrator:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) KUMO\Domain Users:(OI)(CI)(Rc,S,RD,REA,X) New folder (3) KUMO\administrator:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) KUMO\Domain Users:(OI)(CI)(Rc,S,RD,X,RA) New folder (4) KUMO\administrator:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) KUMO\Domain Users:(OI)(CI)(S,RD,REA,X,RA) New folder (5) KUMO\administrator:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) KUMO\Domain Users:(OI)(CI)(Rc,S,REA,X,RA) Successfully processed 5 files; Failed processing 0 files Notice that there is one file for each of the combinations of permissions we think are important. Here is what I see from smbclient when accessing this folder: cc235# smbclient //10.1.3.78/new\ folder -Usome-dom/some-user%some-pass Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules Domain=[KUMO] OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server=[Windows Server 2008 R2 Enterprise 6.1] smb: \> ls . D 0 Sun Nov 10 11:25:50 2013 .. D 0 Sun Nov 10 11:25:50 2013 New folder D 0 Sun Nov 10 11:22:09 2013 40857 blocks of size 1048576. 17539 blocks available smb: \> This demonstrates, I believe, that all four of the bits mentioned above are needed before Windows will show file/folders when ABE is enabled. A further test demonstrates that the X bit (traverse folder/execute file) does not affect visibility under ABE.
Note, not having a particular permission is as good as being explicitly having it denied.
Looks good to me. I'll write up a torture test case for master and get this into 4.1.next and master. Cheers, Jeremy.
any news on this Jeremy?
Created attachment 11486 [details] git-am fix for mater. Placeholder for my smbtorture work. Adds smb2.acls.ACCESSBASED which passes against Win2k12R2. Full patch to follow. Jeremy.
Created attachment 11489 [details] git-am fix for master. Contains fix + torture test.
Created attachment 11491 [details] git-am fix for 4.3.next.
Created attachment 11492 [details] git-am fix for 4.2.next. Back-port from 4.3.next fix.
Re-assigning to Karolin for inclusion in 4.3.next, 4.2.next.
(In reply to Jeremy Allison from comment #10) Pushed to autobuild-v4-[2|3]-test.
(In reply to Karolin Seeger from comment #11) Pushed to both branches. Closing out bug report. Thanks!