In our corprate environment, we wish to use the setgid-feature in ext3 filesystem together with "force directory security mode" in samba to enforce "rws" on the posix "group-owner", even if the user changes permissions on a file from the native NT security dialog box. 1)These setting work, when we compile samba-3.4.5 with --with-acl-support=no 2)But when we compile samba-3.4.5 with "--with-acl-support=yes", the setgid-bit is not being applied. The other security-bits are however rightfully applied. I have reproduced the problem on a testserver with minimal configuration. Only the smbd process are running here: SLES11, x86_64, samba-3.4.5 uname -a Linux erso-desktop 2.6.27.42-0.1-default #1 SMP 2010-01-06 16:07:25 +0100 x86_64 x86_64 x86_64 GNU/Linux The filesystem is ext3 The windows-machine I use as client is windows2000 professional sp4 I have installed samba 3.4.5 with acl support to /samba-3.4.5 I have installed samba 3.4.5 without acl support to /samba-3.4-5-noacl The smb.conf for both installasjons is like this: [global] server string = Samba fra erso passdb backend = tdbsam:/samba-3.4.5/private/passdb.tdb comment = testsone workgroup = testgroup security = server log level = 10 max log size = 0 debug hires timestamp = yes debug pid = yes printcap name = /etc/printcap disable spoolss = yes map to guest = Bad User usershare allow guests = No netbios name = testpc wins support = No [test$] comment = testshare path=/testshare writable=yes browsable=yes force directory security mode = 2777 getfacl /testshare: # file: testshare # owner: root # group: root user::rwx group::rwx other::rwx ls -ld /testshare: drwxrwxrwx 3 root root 4096 Feb 20 12:04 /testshare I user the testfoler "/testshare/test2", here is getfacl "/testshare/test2" before I access it from windows, using samba with acl-support: getfacl /testshare/test2: # file: testshare/test2 # owner: Administrator # group: gruppetest user::r-- group::--- other::--- default:user::rwx default:group::rwx default:other::rwx ls -ld /testshare/test2 dr--------+ 2 Administrator gruppetest 4096 Feb 20 12:04 test2 Now, I start samba with acl support and debug level 10 and do the following 1) Open \\<ip-of-sambaserver\test$ i explorer.exe on windows2000 2) Select properties of the test2 folder in windows explorer 3) On the security tab, I mark the user "everybody", Select full controll, and click OK. 5) I run getfacl /testshare/test2 and it gives me: getfacl /testshare/test2: # file: testshare/test2 # owner: Administrator # group: gruppetest user::rwx group::rwx other::rwx default:user::rwx default:group::rwx default:other::rwx ls -ld /testshare/test2: drwxrwxrwx+ 2 Administrator gruppetest 4096 Feb 20 12:04 /testshare/test2 4) I stop the samba process and upload the debuglog as smb.log.acl 5) I do the _exact_ same procedure as above, but this time I start the samba compiled without acl-support instead After changing the everyone-permission to full control, as above, I now get: getfacl /testshare/test2 # file: testshare/test2 # owner: Administrator # group: gruppetest user::rwx group::rwx other::rwx default:user::rwx default:group::rwx default:other::rwx ls -ld /testshare/test2 drwxrwsrwx+ 2 Administrator gruppetest 4096 Feb 20 12:04 /testshare/test2 6) I stop the samba process and upload the debuglog as smb.log.noacl The only difference between the to results are that the setgid-bit is correctly being applied when I compile samba without acl-support. This is very strange. We have the problem om fileservers with samba 3.4.5, 3.2.7 and I have also reprodused the problem on samba 3.0.37 I can see that I have entered a few home-made debug-entries in the smb.log.acl-logfile, please forgive me for those! (I have tried a little bit of debuggin for my self..). -regards Erik
Created attachment 5405 [details] Debug 10 output from samba-3.4.5 with acl support Debug 10 output from samba-3.4.5 with acl support while I change the user everyone to full control from windows 2000
Created attachment 5406 [details] Debug 10 output from samba-3.4.5 with acl support Debug 10 output from samba-3.4.5 with acl support while I change the user everyone to full control from windows 2000 Don't read the obsolete one, it was fram an other, older testrun of smbd
Created attachment 5407 [details] Debug 10 output from samba-3.4.5 without acl support Debug 10 output from samba-3.4.5 without acl support while I change the user everyone to full control from windows 2000
can you test again with a recent samba version, please, and see if this is still an issue for you? You should also check out the "acl group control" and "inherit owner" parameters actually. I think with the right combination of those it will work.