Bug 166 - Setting ACLs on shares is a bit broken
Summary: Setting ACLs on shares is a bit broken
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.0preX
Hardware: All other
: P1 regression
Target Milestone: none
Assignee: Jim McDonough
QA Contact:
Depends on:
Reported: 2003-06-14 12:34 UTC by John H Terpstra (mail address dead(
Modified: 2005-08-24 10:18 UTC (History)
0 users

See Also:

Checks netsharesetinfo 1005 CSC settings to see if they match smb.conf (2.97 KB, patch)
2003-07-01 12:48 UTC, Jim McDonough
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra (mail address dead( 2003-06-14 12:34:50 UTC
In NEXUS SRVMGR any attempt to set ACLs on shares does not work. This was
reported in a previous bug report. Volker said we should NOT fix it.

Use of SRVMGR in NT4 or MMC ComputerManagement Snap-In for WinXPPro also do NOT
work. Any attempt to set or change the share ACL results in a message: Access

To reproduce problem:

1) I am using tdbsam
2) groups are mapped so that the primary NT group is a Domain Admin
3) Domain Admin has root level priviledge on Unix
4) In MMC Go to:
    Computer Management (Local) - right click on this
    Select: Connect to another computer ...
    Click the 'Another Computer' radio button
    Clicking on the 'Advanced' tab, then on the 'Find Now' tab, does NOT locate
ANY samba servers - it used to!
    Cancel out to the "Select Computer" dialog box, enter the PDC name in
Another Computer entry box, click OK
    Left click to expand the 'System Tools' entry in left panel
    Left click to expand the 'Shared Folders' entry in left panel
    Click on Shares in left panel
    Double click on a share in the right panel (you are logged on as root - right!)
    Click on 'Share Permissions'
    Change the permissions for Group Everyone in the 'Permissions for Everyone' box
    Click 'Apply'

Error Message:
    "Shared Folders: Changes cannot be saved. Access is denied."

This was working in during alphas.
Comment 1 John H Terpstra (mail address dead( 2003-06-14 12:36:40 UTC
PS: This bug report is NEW - we now have NO way to set ACLs on Shares

If we elect to remove this facility it will be a reversion from Samba-2.2.x and
yet another migration problem for those wishing to upgrade.
Comment 2 John H Terpstra (mail address dead( 2003-06-14 16:24:36 UTC
Correction. I installed NT4Wks, SP6a. SrvMgr on it works OK.
Comment 3 John H Terpstra (mail address dead( 2003-06-14 17:33:07 UTC
I installed W2000 Pro and updated to latest service pack. MMC for Computer
Management will connect to Samba-3, and does allow Share ACLs to be set.

This would suggest that the problem is limited to XPPro and Nexus (on Win 9x/Me).

If we have to sacrifice anything here, I'd vote with Volker that we not fix it
for Nexus, but we do need this to work for XPPro, I will check this for Win
server 2003 as soon as I can - that way we will have a complete profile of what
works and what does not.
Comment 4 Jim McDonough 2003-07-01 08:01:07 UTC
Ouch, the problem is that it does a setshareinfo on level 1005, which is about
various random bits such as DFS, client caching of the share namespace (not sure
exactly what that means), file-by-file integration, and disallowing forcible
file deletion.

Any suggestions on how we could support this?  Returning unknown level also
causes the client to fail.  I'm concerned that just saying "ok" will get us into
other trouble.
Comment 5 Jim McDonough 2003-07-01 08:11:25 UTC
Hmm, how about if we decode it, and if no flags are being set, we return OK, but
if flags are being set, we return something bad...either INVALID_PARM or
Comment 6 Jim McDonough 2003-07-01 12:48:02 UTC
Created attachment 41 [details]
Checks netsharesetinfo 1005 CSC settings to see if they match smb.conf

Should allow XP to set acls on shares now, as long as the user doesn't change 
the client side cache policy settings.
Comment 7 Jim McDonough 2003-07-02 06:34:14 UTC
jra has checked in my patch, so please test and let me know if this takes care
of it.
Comment 8 John H Terpstra (mail address dead( 2003-07-02 21:57:44 UTC
Confirmed FIXED - jht
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:38:55 UTC
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 10 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:18:45 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.