Bug 1220 - empty ACL permission on directory in explorer security tab
empty ACL permission on directory in explorer security tab
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.9
All FreeBSD
: P3 major
: none
Assigned To: Jeremy Allison
Samba QA Contact
http://194.186.147.81/~tiamat/acl.jpg
:
: 1865 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-28 12:33 UTC by Alex Deiter
Modified: 2005-02-08 20:45 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Deiter 2004-03-28 12:33:02 UTC
I'm using Samba 3.0.2a PDC (compile with --with-acl-support) on FreeBSD 5.2.1.
And i have problems with display of access rights on directories:

# getfacl /var/tmp/test/test-folder
#file:/var/tmp/test/test-folder
#owner:2004
#group:2513
user::rwx
user:cboss:rwx
group::r-x
mask::rwx
other::r-x

smbcacls show this ACL's:
# smbcacls //server/test test-folder -U tiamat
Password:
REVISION:1
OWNER:KOMI\tiamat
GROUP:KOMI\Domain Users
ACL:KOMI\tiamat:ALLOWED/0/FULL
ACL:KOMI\Domain Users:ALLOWED/0/READ
ACL:KOMI\cboss:ALLOWED/0/FULL
ACL:\Everyone:ALLOWED/0/READ

But explorer (from Windows 2000 SP4) on \\server\test\test-folder properties (in
security tab) show empty ACL permission's for all users and groups (please, see
http://194.186.147.81/~tiamat/acl.jpg)

Thanks a lot!
Comment 1 Alex Deiter 2004-03-28 12:40:13 UTC
sorry, i forgotten my smb.conf:

[global]
        dos charset = 866
        unix charset = UTF8
        display charset = UTF8
        workgroup = KOMI
        passdb backend = 'ldapsam:ldapi://%2fvar%2frun%2fopenldap%2fldapi'
        guest account = guest
        log file = /var/log/samba/%m.log
        domain logons = Yes
        os level = 255
        domain master = Yes
        wins support = Yes
        ldap suffix = dc=komi,dc=mts,dc=ru
        ldap admin dn = cn=manager,dc=komi,dc=mts,dc=ru
        host msdfs = Yes
        use sendfile = Yes

[test]
        path = /var/tmp/test
        read only = No

Thanks!
Comment 2 Gerald (Jerry) Carter 2004-04-10 15:50:31 UTC
Jeremy, this is what we spoke about at SambaXP.  Can you take a 
look when you get a chance?  Thanks.
Comment 3 Alex Deiter 2004-11-03 02:30:21 UTC
Explorer security tab properties display only default ACL of a directory instead
of the access ACL. Example:

1. create directory test without default ACL:
test directory ACL:
%  getfacl test
#file:test
#owner:2004
#group:2513
user::rwx
group::r-x
group:veda:rwx
group:admins:rwx
mask::rwx
other::r-x

test directory default ACL
% getfacl -d test
#file:test
#owner:2004
#group:2513
user::rwx
group::---
other::---

% smbcacls //server/share test -U tiamat
REVISION:1
OWNER:KOMI\tiamat
GROUP:KOMI\Domain Users
ACL:KOMI\tiamat:ALLOWED/0/FULL
ACL:KOMI\Domain Admins:ALLOWED/0/FULL
ACL:KOMI\Domain Veda:ALLOWED/0/FULL
ACL:KOMI\Domain Users:ALLOWED/0/READ
ACL:\Everyone:ALLOWED/0/READ
ACL:\Creator Owner:ALLOWED/11/FULL
ACL:\Creator Group:ALLOWED/11/
ACL:\Everyone:ALLOWED/11/

explorer show empty security permissions on this directory:
http://213.87.48.51/~tiamat/acl1.bmp

2. create directory test with default ACL:
test directory ACL:
%  getfacl test
#file:test
#owner:2004
#group:2513
user::rwx
group::r-x
group:veda:rwx
group:admins:rwx
mask::rwx
other::r-x

test directory default ACL
% getfacl -d test
#file:test
#owner:2004
#group:2513
user::rwx
group::---
group:veda:rwx
group:admins:rwx
mask::rwx
other::---

% smbcacls //server/share test -U tiamat
REVISION:1
OWNER:KOMI\tiamat
GROUP:KOMI\Domain Users
ACL:KOMI\Domain Admins:ALLOWED/3/FULL
ACL:KOMI\Domain Veda:ALLOWED/3/FULL
ACL:\Everyone:ALLOWED/0/READ
ACL:KOMI\tiamat:ALLOWED/0/FULL
ACL:KOMI\Domain Users:ALLOWED/0/READ
ACL:\Creator Owner:ALLOWED/11/FULL
ACL:\Creator Group:ALLOWED/11/
ACL:\Everyone:ALLOWED/11/

explorer show security permissions on this directory:
http://213.87.48.51/~tiamat/acl2.bmp

Thanks a lot!
Comment 4 Alex Deiter 2004-11-03 02:30:58 UTC
Sorry i forgotten: Samba 3.0.7
Comment 5 Guenther Deschner 2004-11-24 18:16:37 UTC
*** Bug 1865 has been marked as a duplicate of this bug. ***
Comment 6 Jeremy Allison 2004-11-24 19:03:39 UTC
This looks to me like an artifact of the security viewer.
If the "normal" and "default" acls on a directory match (ie. a user of group is
present in both, and differs by inheritence etc.) - this is what a Windows file
server would return, and so the security viewer shows the correct bits.
If I set a missmatched POSIX acl and default POSIX acl on a directory, and view
using the XP security viewer, then again no bits are displayed. But if you look
into the "advanced" tab you will see all the "normal" and "default" acls as set
on the file - it's just the "non-advanced" view won't show them to you.
I'm not sure we can fix this in Samba.
Jeremy.
Comment 7 Gerald (Jerry) Carter 2005-02-08 20:45:53 UTC
marking as 'wont fix' based on jeremy's comments.