The Samba-Bugzilla – Bug 6961
Posix ACLs implementation in Samba breaks ACL inheritance
Last modified: 2010-10-09 04:57:31 UTC
While testing Samba 3.4.1 using the acl_xattr module, I found the following problem:
If you do the following:
1. Login to Samba Share as user 1
2. Create a folder called f1
3. Give full access rights to user 2 on folder f1.
4. Login to Samba Share as user 2
5. Create a folder underneath f1 (f1/f2).
6. Login to Samba Share as user 1
7. you will be unable to create any files or folders underneath f1/f2 even though f1/f2 has full access rights for user 1.
The reason for this is although Native NT ACL inheritance is working properly, i.e. f1/f2 inherits the ACL that gives user 1 full access rights from f1, no POSIX ACL is ever created on f1/f2 for user 1. This means that although it looks like user 1 has full access rights, he/she in fact can't do certain operations because the POSIX ACL is not present. The permissions on f1/f2 are:
drwxrwxr--+ 3 user2 domain admins 0 Dec 2 23:02 f2
The POSIX ACLs are (via getfacl call):
# owner: user2
# group: domain\040admins
So all create operations are disallowed because the POSIX ACL was never created. Samba needs to set the appropriate POSIX ACL for anything that inherits NT ACLs.
Refactoring the VFS interface to fix this for 3.5.x.
should be fixed in 3.5, if not, please reopen. Thanks for reporting!