Bug 7169 - acl group control = yes fails after upgrading from samba 3.2.8 to 3.4.5
acl group control = yes fails after upgrading from samba 3.2.8 to 3.4.5
Status: NEW
Product: Samba 3.4
Classification: Unclassified
Component: File services
3.4.5
Other Linux
: P3 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-23 02:29 UTC by Erik Sørnes
Modified: 2010-02-23 02:36 UTC (History)
0 users

See Also:


Attachments
This is a debug-run from the user being able to change security for folder test2 (922.89 KB, text/plain)
2010-02-23 02:32 UTC, Erik Sørnes
no flags Details
This is a debug-run from the user not being able to change security for folder test2 (983.54 KB, application/octet-stream)
2010-02-23 02:36 UTC, Erik Sørnes
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Sørnes 2010-02-23 02:29:56 UTC
In samba 3.2.8 "acl group control = yes", made it possible for windows users who where member of the posix owner group on a file or folde to manupilate its rights from the windows NT security dialog box, even if the posix owner group had "---" rights on the file or folder.

In samba 3.4.5 the user who is a member of the posix owner group _must_ have "rwx" on the file or folder for him to be able to change the security-settings from windows. If the user has "rw-", "-wx" or "r-x" or anything less than "rwx", he only gets to view the securitysettings, not change them.

The clients experiensing these problems are windows2000 and windows2003R2 (which is alle the clients we have).
The productin linux server which is experiencing the problem is running sles10sp2, the testserver I use to debug the problem is running sles11

uname -a:
Linux erso-desktop 2.6.27.42-0.1-default #1 SMP 2010-01-06 16:07:25 +0100 x86_64 x86_64 x86_64 GNU/Linux

smb.conf (on testserver):
[global]                                                                  
        server string = Samba fra erso                            
	passdb backend = tdbsam:/samba-3.4.5/private/passdb.tdb
        comment = testsone                                             
        workgroup = testgroup                                                   
        security = server                                                    
        log level = 10   
	max log size = 0
        debug hires timestamp = yes                                       
        debug pid = yes                                                   
        printcap name = /etc/printcap                                          
        disable spoolss = yes                                             
        map to guest = Bad User                                           
        usershare allow guests = No 
        netbios name = testpc                                          
        wins support = No          

[test$]
        comment = testshare
        path=/testshare
	acl group control = yes
        writable=yes
        browsable=yes
        force directory security mode = 2777

No winbind or nmbd, just one smbd-process running in foreground.

I will upload 2 debug 10 logfiles.

Case 1) smb.log.acl-group-control.470.can-change
erso-desktop:/samba-3.4.5/sbin # ls -lat /testshare/test2
total 8
dr--rw---- 2 root gruppetest 4096 Feb 23 08:59 .
drwxrwxrwx 3 root root       4096 Feb 23 08:59 ..

Case 2) smb.log.acl-group-control.460.fane-cannot-change
erso-desktop:/samba-3.4.5/sbin # ls -lat /testshare/test2
total 8
dr--rw---- 2 root gruppetest 4096 Feb 23 08:59 .
drwxrwxrwx 3 root root       4096 Feb 23 08:59 ..

The logged on user is "Administrator" in both cases. Here are the entries from /etc/passwd:
Administrator:x:123:123:Administrator:/home/administrator:/bin/false
and from /etc/group:
gruppetest:x:123

This is very strange. I am not positively sure the user in these cases are supposed to see and change security, even though he has "---" on the folder. The smb.conf-man-pages could be clearer here.
But I think he should be able to see and change them if he has "rw-" on the folder, which is not the case in samba 3.4.5.

regards
-ERIK
Comment 1 Erik Sørnes 2010-02-23 02:32:05 UTC
Created attachment 5412 [details]
This is a debug-run from the user being able to change security for folder test2

This is a smbd-debug-level10-log from the user 
1) browsing \\<ipadress>\test$ and then
2) watching the security tab on folder test2, seeing that he is able to change security here
Comment 2 Erik Sørnes 2010-02-23 02:36:34 UTC
Created attachment 5413 [details]
This is a debug-run from the user not being able to change security for folder test2

This is a debug-10-log from smbd when the user:
1) browses \\<ipadress-of-samba-server>\test$
2) opens up the security-tab on folder test2, observing (and getting pop-up-notice from windows) that he can only view these settings)

Both this and the last debug-attachment was run from windows2000sp4