i have a file with rights 600. if i connect to samba using username%password i can see all the rights, acl, owner ecc. if i connect to samba using kerberos i can not see the owner-information of the file. if i try to rename this file from a windows-client i get a NT_STATUS_ACCESS_DENIED because the owner-information is missing, but i can change the content of the file. (mode of the parent directory is 777) # ls -l x.txt -rw------- 1 heinz_sgv domusers 0 2010-02-15 10:33 x.txt smbcacls with the kerberos-option -k (principal is the same as the owner of the file = heinz_sgv ) # smbcacls //localhost/samba -k kerberos/x.txt Failed to open \kerberos\x.txt: NT_STATUS_ACCESS_DENIED smbcacls with username%password # smbcacls //localhost/samba -U heinz_sgv%password kerberos/x.txt REVISION:1 CONTROL:0x9004 OWNER:GVCC.NET\heinz_sgv GROUP:GVCC.NET\Domain Users ACL:GVCC.NET\heinz_sgv:ALLOWED/0x0/RW ACL:GVCC.NET\Domain Users:ALLOWED/0x0/ ACL:Everyone:ALLOWED/0x0/ after a chmod g+r x.txt all works fine: # chmod g+r x.txt # ls -l x.txt -rw-r----- 1 heinz_sgv domusers 0 2010-02-15 10:33 x.txt # smbcacls //localhost/samba -k kerberos/x.txt REVISION:1 CONTROL:0x9004 OWNER:GVCC.NET\heinz_sgv GROUP:GVCC.NET\Domain Users ACL:GVCC.NET\heinz_sgv:ALLOWED/0x0/RW ACL:GVCC.NET\Domain Users:ALLOWED/0x0/R ACL:Everyone:ALLOWED/0x0/ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: heinz_sgv@GVCC.NET
Please upload debug level 10 logs of smbd for both cases. Thanks, Volker
Created attachment 5356 [details] log.smbd for smbcacls using username%password log.smbd for smbcacls using username%password in this case all works fine
Created attachment 5357 [details] log.smbd for smbcacls using a kerberos principal log.smbd for smbcacls using a kerberos principal the principal is also heinz_sgv, the same user as the owner of the file. in this case: # smbcacls //localhost/samba -k kerberos/x.txt Failed to open \kerberos\x.txt: NT_STATUS_ACCESS_DENIED # ll /samba/kerberos/x.txt -rw------- 1 heinz_sgv domusers 6 2010-02-16 12:57 /samba/kerberos/x.txt
Created attachment 5358 [details] Proposed patch Can you try the attached patch? I don't have an appropriate setup around right now, so I have not tested it at all. So it might immediately crash (or so), but I'd give it a good chance that it fixes your problem. Please tell me about your testing results! Thanks, Volker
thanx! now it works fine, i testet it from linux with smbcacls and from windows xp # ll /samba/kerberos/x.txt -rw------- 1 heinz_sgv domusers 6 2010-02-16 12:57 /samba/kerberos/x.txt # smbcacls //localhost/samba -k kerberos/x.txt REVISION:1 CONTROL:0x9004 OWNER:GVCC.NET\heinz_sgv GROUP:GVCC.NET\Domain Users ACL:GVCC.NET\heinz_sgv:ALLOWED/0x0/RW ACL:GVCC.NET\Domain Users:ALLOWED/0x0/ ACL:Everyone:ALLOWED/0x0/
Comment on attachment 5358 [details] Proposed patch Jeremy, please ack this for 3.5.1 and re-assign to Karolin if appropriate. Thanks, Volker
Heinz: Thanks for testing. Pushed to master, will be in 3.5.1 latest, maybe in 3.5.0. Volker
Comment on attachment 5358 [details] Proposed patch Clever fix - nice work !
Reopen to assign to Karolin for inclusion in 3.5.0rc1 or 3.5.1.
Karolin, please pull whenever you see appropriate, I think this should be in latest 3.5.1. Thanks, Volker
Pushed to v3-5-test. Will be included in 3.5.0rc3. Closing out bug report. Thanks!