Bug 4955 - Cannot remove "Inherit flag" in windows security tab
Cannot remove "Inherit flag" in windows security tab
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools
3.0.25c
x86 Linux
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-05 14:58 UTC by Federico Bertola
Modified: 2007-11-23 11:00 UTC (History)
1 user (show)

See Also:


Attachments
Level 2 and level 3 of problem (18.54 KB, text/plain)
2007-09-05 15:05 UTC, Federico Bertola
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Federico Bertola 2007-09-05 14:58:53 UTC
I have migrated a 3.0.14a PDC + LDAP (last debian Sarge package) to last stable version 3.0.25c (sernet package) in order to improve the ACL support, because there are many imprevedible behaviour in that release (above all with MS Office) and I need "inherit owner" config directive.

1- I have a directory like this:

# file: prova
# owner: root
# group: Domain\040Users
user::rwx
user:<USER1>:rwx
group::---
group:Ced:rwx
mask::rwx
other::---
default:user::rwx
default:user:<USER1>:rwx
default:group::---
default:group:Ced:rwx
default:mask::rwx
default:other::---

And many subdirs with the same inherited permissions (for example aaaa, bbbb...)

This permission were applied with windows security tab (but with setfacl I have the same result)


2- When I try to remove the Inherit Flag from windows Explorer security tab (winxp and win2k also) to remove any ACL, I have a strange behaviour:
- When I re-check the properties of directory the flag is still checked
- In the dir-tree from that directory I found 2 new ACLs: one for User that I have used for that operation (a Domain Admins members) and one for group Administrators that I never seen before. 

I try to remove USER1 from aa subdir:

# file: aa
# owner: root
# group: Domain\040Users
user::rwx
user:<USER1>:rwx
user:<ADMIN1>:rwx
group::---
group:Ced:rwx
group:Administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:<USER1>:rwx
default:user:<ADMIN1>:rwx
default:group::---
default:group:Ced:rwx
default:group:Administrators:rwx
default:mask::rwx
default:other::---

To resolve this problem I have to downgrade to version 3.0.24.
In this version I can remove check, but persist the new ACL for user that have change the flag, but not for group Administrators.

This incorect inherited new ACL contamine only subdir that have Inherit flag checked.


Now I can change ACL only with Administrator User (that have uid 0), this user don't add new acl, and can corectly manage inherited permission.



Relevant configuretion directive:
  inherit acls = yes
  map acl inherit = yes
  inherit owner = yes
  force unknown acl user = Yes
  dos filemode = yes
  inherit permissions = yes


Italian thread:
http://lists.xsec.it/pipermail/samba-it/2007-September/007168.html
Comment 1 Federico Bertola 2007-09-05 15:05:53 UTC
Created attachment 2919 [details]
Level 2 and level 3 of problem

This is an extract of the log while I try to remove the flag indicted from the folder “bbbb”, subfolder of “prova”, from which it inherits one acl.