I cannot break ACL inheritance anymore in the Windows ACL editor. With previous Samba versions, I entered the "Advanced" dialog of the Windows ACL editor and unchecked the flag "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here". Afterwards, I could remove or change ACLs as needed. If I do this now, inheritable ACLs that exist on higher directory levels re-appear after having deleted them.
*** Bug 5877 has been marked as a duplicate of this bug. ***
I'll look at this once I'm back in the USA (Nov 10th). Jeremy.
Ok, I'm trying to reproduce this with the current code in the git tree samba-3-2-test and can't (ie. unsetting the bit in the ACL editor works for me). So I need an exact description of how your share/directories are set up UNIX permissions-wise, and an exact copy of your smb.conf please. Jeremy.
I created New Folder\Bill in my homedir. I added the wrm3 user w/ full control in the GUI to New Folder & Bill. [root@rchs9bld bmarsh]# getfacl New\ Folder/ # file: New\040Folder # owner: root # group: domain\040users user::rwx user:bmarsh:rwx user:wrm3:rwx group::--x group:domain\040admins:rwx mask::rwx other::--x default:user::rwx default:user:bmarsh:rwx default:user:wrm3:rwx default:group::--x default:group:domain\040admins:rwx default:mask::rwx default:other::--x [root@rchs9bld bmarsh]# getfacl New\ Folder/Bill/ # file: New\040Folder/Bill # owner: root # group: domain\040users user::rwx user:bmarsh:rwx user:wrm3:rwx group::--x group:domain\040admins:rwx mask::rwx other::--x default:user::rwx default:user:bmarsh:rwx default:user:wrm3:rwx default:group::--x default:group:domain\040admins:rwx default:mask::rwx default:other::--x In the GUI, when I try to remove wrm3 from Bill, wrm3 comes back then I click apply.
Created attachment 3727 [details] smb.conf
I get the same problems on 3.2.4 from SetNet. [root@rchs4bld lbmarsh]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.2 (Tikanga) [root@rchs4bld lbmarsh]# rpm -qi samba3 Name : samba3 Relocations: (not relocatable) Version : 3.2.4 Vendor: Service Network GmbH, Goettingen Release : 37 Build Date: Wed 22 Oct 2008 08:21:00 AM CDT
Created attachment 3729 [details] 3.2.4 smb.conf (opensuse 11) Share starts at /wzb/samba # file: /wzb # owner: root # group: root user::rwx group::r-x other::r-x # file: /wzb/samba # owner: root # group: users user::rwx group::r-x other::--- # file: /wzb/samba/group # owner: root # group: users user::rwx group::r-x other::--- # file: /wzb/samba/group/BAL # owner: root # group: users user::rwx user:pollner:r-x user:udo:r-x user:walther:r-x group::--- group:bal:rwx group:zensus:r-x group:_p_etlm:r-x group:neps:r-x mask::rwx other::--- default:user::rwx default:group::--- default:group:bal:rwx default:group:zensus:r-x default:mask::rwx default:other::---
Ok I've done some investigation of this, and I'm being bitten by the bugfix for bug #4308. The problem is on removing an ACE entry and then clicking "apply" causes a security descriptor set with type = 0x9d04. This includes the "SEC_DESC_DACL_AUTO_INHERIT_REQ|SEC_DESC_DACL_AUTO_INHERITED" pair that triggers the append_parent_acl() call that fixes the Excel bug (#4308). The type value being used here (0x9d04) is identical to the type value used by Excel when setting a truncated security descriptor. I believe Vista backup also does this (bug #5306). After implementing "real" security descriptors as a layer on top of POSIX acls in the 3.3 codebase I'm now convinced that doing any inheritance at the server is incorrect, and all inheritance calculation should in fact be being done in the client. The problem is if I remove this code, the Excel problem will re-appear. In the Excel case, something about the posix mapped security descriptor we're returning is causing the inheritance calculations not to be done. So the actual bug is still #4308, and #5306 and I'll work on the problem there. Jeremy.
Created attachment 3730 [details] Temporary patch for 3-2-test branch. Ok, if people can try this (temporary, not the final) fix. It should allow removal of ACE entries again. Bill and others, I need testing with Excel to prevent regressions of #4308. Jeremy.
(In reply to comment #9) > Created an attachment (id=3730) [edit] > Temporary patch for 3-2-test branch. > Ok, if people can try this (temporary, not the final) fix. It should allow > removal of ACE entries again. Bill and others, I need testing with Excel to > prevent regressions of #4308. > Jeremy. I've tried this patch and it looks good, it allows removal of ACE entries. I've also tested with Excel, I couldn't reproduce problems of #4308, I am not sure if I've tested all the possibilities with Excel. Thanks, Chandra
Is this bug scheduled to be corrected by "3.0.x"?
With version 3.2.6, it appears to be ok. Thanks a lot for fixing it.
(In reply to comment #12) > With version 3.2.6, it appears to be ok. > Thanks a lot for fixing it. > for 3.0.x - fixed? or give patch...
(In reply to comment #13) > for 3.0.x - fixed? > or give patch... I'd need a patch for 3.0.x, too...
I'm having this same problem with Samba 3.2.11 on Gentoo. I can uncheck the inherit permissions box and then remove/modify the permissions and once I apply them the inherited permissions just show right back up. Be happy to provide any additional information or do any sort of testing.
I've tried again with 3.2.11 on opensuse 11.0, and everything's fine. See also my Comment #12. Peter
Well.. Are there some configuration options that could effect this? It is not working for me on 3.2.11 on Gentoo and I would like to find and resolve the problem. Again. I have a fresh install of both Gentoo and Samba (3.2.11) and a temp share defined. If I open that share and create files and folders and within their Secuity then Advanced tab (from Windows Vista Business) they all have "Include inheritable permissions from this object's parent" checked. I click Edit and uncheck that box. It opens a pop-up window that asks if I want to copy the inherited permissions or remove them. I click on Remove. Now all the permissions appear to have been removed. Once I click Apply they all come back but the "Include inheritable permissions from this object's parent" box remains unchecked. I can add new entires but am unable to remove the "inherited" entries. I am fairly new to using Samba in this way and perhaps I'm doing something wrong but am not sure what that would be or how to find out.
I have nt acl support = Yes map acl inherit = Yes inherit permissions = Yes inherit acls = Yes inherit owner = Yes dos filemode = Yes acl group control = No Peter
Hmn, Seems I'm just wasting your time. I apparently don't have a good understanding of how samba acl works compared to windows. I did some more testing and it does infact remove inherited permissions. The part that was throwing me off is how the normal unix permissions remained (user/group/everyone) and in my clicky gui windows mindset I was trying to remove/change those values which I'm used to being able to do. Mostly the Group and Everyone parts. Sorry for filling this bug-report with gibberish.
According to relnotes, this bug was fixed in Samba 3.0.34, Samba 3.2.6, Samba 3.3.0. http://www.samba.org/samba/history/samba-3.0.34.html comment #12 http://www.samba.org/samba/history/samba-3.3.0.html
I'm marking it as FIXED. If someone complains please reopen!