Bug 5052 - not work cancel inheritance on share
Summary: not work cancel inheritance on share
Status: ASSIGNED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.26a
Hardware: x86 FreeBSD
: P3 normal
Target Milestone: none
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-30 08:13 UTC by lissyara
Modified: 2008-11-06 00:13 UTC (History)
3 users (show)

See Also:


Attachments
Patch for 3.2.x (753 bytes, patch)
2008-09-10 17:36 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description lissyara 2007-10-30 08:13:41 UTC
samba-3.0.26a_1,1 from ports, FreeBSD 6.2-RELEASE.
Domain member (Win2003 domain)
If I create share:
==================================
[data]
        comment                 = Shares for Documents
        path                    = /shares/data
        read list               = "@MOSKB\Domain Users"
        write list              = "@MOSKB\Domain Users"
        admin users             = "@MOSKB\Domain Admins", MOSKB\admin_omsk
        read only               = No
        create mask             = 0660
        directory mask          = 0770
        inherit owner           = yes
        inherit acls            = yes
        inherit permissions     = yes
        map acl inherit         = yes
        locking                 = no

========================
and, then, create folder in share, I can't uncheck box - 
 "Allow inheritable permissions from the parent to propagate to this object and all child objects." when I edit permissions from windows (I - admin users). After press apply button (after uncheck box), box again checked...
on samba-3.0.25a,1 (from ports) it works correct
Comment 1 David Eisner 2008-03-03 11:25:44 UTC
I'm experiencing this problem, too, with samba v. 3.0.28.  See http://lists.samba.org/archive/samba/2008-February/138898.html.

I'm not a samba hacker, but the problem appears to occur in smbd/posix_acls.c, when set_nt_acl() calls append_parent_acl(), a function which is supposed to copy the appropriate ACL entries from the parent to the child file.  Because of the way it is implemented, though, append_parent_acl() clobbers the security descriptor header flags of the child, overwriting them with the parent's SEC_DESC "type" member (which holds the flag values).  In particular, the SE_DESC_DACL_PROTECTED flag of the child gets overwritten.  This is the flag that stores the state of that "Allow inheritable permissions from the parent to propogate" check box.  (If the SE_DESC_DACL_PROTECTED flag is set, the check box is cleared).

I wrote a very simple patch which restores the value of this bit to the child, and it seemed to resolve the problem.  However, I have a very superficial understanding of samba's internals, and I'm not sure what other flags (all?) in the SEC_DESC header should be retained as well.  I also don't know what other side effects this might have.

   
Comment 2 lissyara 2008-03-03 12:10:45 UTC
(In reply to comment #1)
> I wrote a very simple patch which restores the value of this bit to the child,
> and it seemed to resolve the problem.  However, I have a very superficial
> understanding of samba's internals, and I'm not sure what other flags (all?) in
> the SEC_DESC header should be retained as well.  I also don't know what other
> side effects this might have.
Can you send me patch?
admin@lissyara.su
I test this patch trough some hours.
I`v very need this patch, because I need set up server in production on this week.
Otherwise i have to install Win2003 =(
Thanks!
Comment 3 David Eisner 2008-03-03 13:19:29 UTC
(In reply to comment #2)
> Can you send me patch?

Unfortunately, all my patch does is prevent the box from rechecking itself.  It doesn't honor the semantics: The ACE's inherited from the parent folder (or higher) continue to be inherited, so it's pretty useless.  You'd need additional code to honor that setting, and probably to recursively remove the inherited ACE's from descendants, if any.  It's not clear to me if the Windows 2000+ semantics (NT4 only considers inheritance when an object is created) is even intended to be supported by the Samba developers.  Perhaps somebody will chime in here.

Comment 4 lissyara 2008-03-03 14:44:17 UTC
(In reply to comment #3)
> (In reply to comment #2)
>> Can you send me patch?
>>> Unfortunately, all my patch does is prevent the box from rechecking itself.
I copy source/smbd/posix_acls.c  from 3.0.25 to 3.0.28 - and recompile it.
I have correct works samba with correct inherit...
======
today i testing it with 50 users, and trough 3-5 day - production with 600 users...
Comment 5 Alberto Viana 2008-06-24 16:20:51 UTC
samba Version 3.0.29

I also had the same problem. Copy the source/smbd/posix_acls.c from 3.0.25 to 3.0.29 and it's working fine now. 

It's in production with about 400 users.

Comment 6 lissyara 2008-06-24 23:43:02 UTC
I have fileserver with samba 3.0.28 + posix_acls.c from 3.0.25 with 800-900 users.
3 month - all OK

Comment 7 Timothy J. Trace 2008-09-10 11:17:12 UTC
I'm experiencing this bug with 3.2.1-0.0.3-1, in OpenFiler.  Has the patch discussed herein been rolled into a release?
Comment 8 David Eisner 2008-09-10 13:29:34 UTC
(In reply to comment #7)
> I'm experiencing this bug with 3.2.1-0.0.3-1, in OpenFiler.  Has the patch
> discussed herein been rolled into a release?

This is still a "NEW" bug (there are quite a few), so I'm not sure it has even been read by any of the Samba developers.
Comment 9 Jeremy Allison 2008-09-10 17:03:55 UTC
I'm taking a look at this for 3.2.x. Replacing the posix_acls.c from an earlier release is not a solution, you will break several applications using ACLs with Vista.
Jeremy.
Comment 10 Jeremy Allison 2008-09-10 17:36:07 UTC
Created attachment 3554 [details]
Patch for 3.2.x

This should fix it for 3.2.x. It was actually a typo, I should have been copying the new ACE list into the incoming SD, not the parent one. My bad. Let me know if this fixes the problem and I'll get it into 3.2.4 (due Friday 19th Sept).
Jeremy.
Comment 11 lissyara 2008-09-10 23:57:18 UTC
Can you write patch for 3.0.x?
samba 3.2.x not avalible from freebsd ports tree...
Comment 12 lissyara 2008-09-11 04:03:35 UTC
it patch success apply for 3.0.32 and work
thanks!
Comment 13 Jeremy Allison 2008-09-11 11:27:11 UTC
The patch should apply to 3.0.x, I already checked it into all git trees as it's an obvious fix. Thanks for pointing it out !
Jeremy.
Comment 14 lissyara 2008-10-09 03:18:11 UTC
After apply this patch to samba-3.0.32_1,1 I have new bug.
I create folder, and subfolder.
от top folder add users, allow inheritance.
go to folder and remove check box about inheritance on subfolder
On pop-up window about new permissions select - "Remove"
After press apply - all permissions on place
Nothing removed...
Very big bug....
With 3.0.28 + posix_acl from 3.0.25 it work correct
Comment 15 Jeremy Allison 2008-11-05 20:45:23 UTC
Please open a new bug report for this bug with the patch.
I'd like to close this one out as the original issue has been fixed (as per your comment #12).
Jeremy.
Comment 16 Jeremy Allison 2008-11-05 21:03:13 UTC
Actually, it looks like bug #5873

https://bugzilla.samba.org/show_bug.cgi?id=5873

is the report describing what you experienced in comment #14. If so let me know and I'll close this one out and concentrate on #5873.

Won't be able to get to this until 10th November though.

Thanks,

Jeremy.
Comment 17 lissyara 2008-11-06 00:13:12 UTC
I create new bug.

https://bugzilla.samba.org/show_bug.cgi?id=5877