Bug 4955 - Cannot remove "Inherit flag" in windows security tab
Summary: Cannot remove "Inherit flag" in windows security tab
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.0.25c
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-05 14:58 UTC by Federico Bertola
Modified: 2020-12-30 14:10 UTC (History)
1 user (show)

See Also:

Attachments
Level 2 and level 3 of problem (18.54 KB, text/plain)
2007-09-05 15:05 UTC, Federico Bertola 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Federico Bertola 2007-09-05 14:58:53 UTC 
I have migrated a 3.0.14a PDC + LDAP (last debian Sarge package) to last stable version 3.0.25c (sernet package) in order to improve the ACL support, because there are many imprevedible behaviour in that release (above all with MS Office) and I need "inherit owner" config directive.

1- I have a directory like this:

# file: prova
# owner: root
# group: Domain\040Users
user::rwx
user:<USER1>:rwx
group::---
group:Ced:rwx
mask::rwx
other::---
default:user::rwx
default:user:<USER1>:rwx
default:group::---
default:group:Ced:rwx
default:mask::rwx
default:other::---

And many subdirs with the same inherited permissions (for example aaaa, bbbb...)

This permission were applied with windows security tab (but with setfacl I have the same result)


2- When I try to remove the Inherit Flag from windows Explorer security tab (winxp and win2k also) to remove any ACL, I have a strange behaviour:
- When I re-check the properties of directory the flag is still checked
- In the dir-tree from that directory I found 2 new ACLs: one for User that I have used for that operation (a Domain Admins members) and one for group Administrators that I never seen before. 

I try to remove USER1 from aa subdir:

# file: aa
# owner: root
# group: Domain\040Users
user::rwx
user:<USER1>:rwx
user:<ADMIN1>:rwx
group::---
group:Ced:rwx
group:Administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:<USER1>:rwx
default:user:<ADMIN1>:rwx
default:group::---
default:group:Ced:rwx
default:group:Administrators:rwx
default:mask::rwx
default:other::---

To resolve this problem I have to downgrade to version 3.0.24.
In this version I can remove check, but persist the new ACL for user that have change the flag, but not for group Administrators.

This incorect inherited new ACL contamine only subdir that have Inherit flag checked.


Now I can change ACL only with Administrator User (that have uid 0), this user don't add new acl, and can corectly manage inherited permission.



Relevant configuretion directive:
  inherit acls = yes
  map acl inherit = yes
  inherit owner = yes
  force unknown acl user = Yes
  dos filemode = yes
  inherit permissions = yes


Italian thread:
http://lists.xsec.it/pipermail/samba-it/2007-September/007168.html
Comment 1 Federico Bertola 2007-09-05 15:05:53 UTC 
Created attachment 2919 [details]
Level 2 and level 3 of problem

This is an extract of the log while I try to remove the flag indicted from the folder “bbbb”, subfolder of “prova”, from which it inherits one acl.
Comment 2 Björn Jacke 2020-12-30 14:10:30 UTC 
in more modern samba version this should not be a problem, there is no known issue with this any more.