The Samba-Bugzilla – Bug 5052
not work cancel inheritance on share
Last modified: 2008-11-06 00:13:12 UTC
samba-3.0.26a_1,1 from ports, FreeBSD 6.2-RELEASE.
Domain member (Win2003 domain)
If I create share:
comment = Shares for Documents
path = /shares/data
read list = "@MOSKB\Domain Users"
write list = "@MOSKB\Domain Users"
admin users = "@MOSKB\Domain Admins", MOSKB\admin_omsk
read only = No
create mask = 0660
directory mask = 0770
inherit owner = yes
inherit acls = yes
inherit permissions = yes
map acl inherit = yes
locking = no
and, then, create folder in share, I can't uncheck box -
"Allow inheritable permissions from the parent to propagate to this object and all child objects." when I edit permissions from windows (I - admin users). After press apply button (after uncheck box), box again checked...
on samba-3.0.25a,1 (from ports) it works correct
I'm experiencing this problem, too, with samba v. 3.0.28. See http://lists.samba.org/archive/samba/2008-February/138898.html.
I'm not a samba hacker, but the problem appears to occur in smbd/posix_acls.c, when set_nt_acl() calls append_parent_acl(), a function which is supposed to copy the appropriate ACL entries from the parent to the child file. Because of the way it is implemented, though, append_parent_acl() clobbers the security descriptor header flags of the child, overwriting them with the parent's SEC_DESC "type" member (which holds the flag values). In particular, the SE_DESC_DACL_PROTECTED flag of the child gets overwritten. This is the flag that stores the state of that "Allow inheritable permissions from the parent to propogate" check box. (If the SE_DESC_DACL_PROTECTED flag is set, the check box is cleared).
I wrote a very simple patch which restores the value of this bit to the child, and it seemed to resolve the problem. However, I have a very superficial understanding of samba's internals, and I'm not sure what other flags (all?) in the SEC_DESC header should be retained as well. I also don't know what other side effects this might have.
(In reply to comment #1)
> I wrote a very simple patch which restores the value of this bit to the child,
> and it seemed to resolve the problem. However, I have a very superficial
> understanding of samba's internals, and I'm not sure what other flags (all?) in
> the SEC_DESC header should be retained as well. I also don't know what other
> side effects this might have.
Can you send me patch?
I test this patch trough some hours.
I`v very need this patch, because I need set up server in production on this week.
Otherwise i have to install Win2003 =(
(In reply to comment #2)
> Can you send me patch?
Unfortunately, all my patch does is prevent the box from rechecking itself. It doesn't honor the semantics: The ACE's inherited from the parent folder (or higher) continue to be inherited, so it's pretty useless. You'd need additional code to honor that setting, and probably to recursively remove the inherited ACE's from descendants, if any. It's not clear to me if the Windows 2000+ semantics (NT4 only considers inheritance when an object is created) is even intended to be supported by the Samba developers. Perhaps somebody will chime in here.
(In reply to comment #3)
> (In reply to comment #2)
>> Can you send me patch?
>>> Unfortunately, all my patch does is prevent the box from rechecking itself.
I copy source/smbd/posix_acls.c from 3.0.25 to 3.0.28 - and recompile it.
I have correct works samba with correct inherit...
today i testing it with 50 users, and trough 3-5 day - production with 600 users...
samba Version 3.0.29
I also had the same problem. Copy the source/smbd/posix_acls.c from 3.0.25 to 3.0.29 and it's working fine now.
It's in production with about 400 users.
I have fileserver with samba 3.0.28 + posix_acls.c from 3.0.25 with 800-900 users.
3 month - all OK
I'm experiencing this bug with 3.2.1-0.0.3-1, in OpenFiler. Has the patch discussed herein been rolled into a release?
(In reply to comment #7)
> I'm experiencing this bug with 3.2.1-0.0.3-1, in OpenFiler. Has the patch
> discussed herein been rolled into a release?
This is still a "NEW" bug (there are quite a few), so I'm not sure it has even been read by any of the Samba developers.
I'm taking a look at this for 3.2.x. Replacing the posix_acls.c from an earlier release is not a solution, you will break several applications using ACLs with Vista.
Created attachment 3554 [details]
Patch for 3.2.x
This should fix it for 3.2.x. It was actually a typo, I should have been copying the new ACE list into the incoming SD, not the parent one. My bad. Let me know if this fixes the problem and I'll get it into 3.2.4 (due Friday 19th Sept).
Can you write patch for 3.0.x?
samba 3.2.x not avalible from freebsd ports tree...
it patch success apply for 3.0.32 and work
The patch should apply to 3.0.x, I already checked it into all git trees as it's an obvious fix. Thanks for pointing it out !
After apply this patch to samba-3.0.32_1,1 I have new bug.
I create folder, and subfolder.
от top folder add users, allow inheritance.
go to folder and remove check box about inheritance on subfolder
On pop-up window about new permissions select - "Remove"
After press apply - all permissions on place
Very big bug....
With 3.0.28 + posix_acl from 3.0.25 it work correct
Please open a new bug report for this bug with the patch.
I'd like to close this one out as the original issue has been fixed (as per your comment #12).
Actually, it looks like bug #5873
is the report describing what you experienced in comment #14. If so let me know and I'll close this one out and concentrate on #5873.
Won't be able to get to this until 10th November though.
I create new bug.