Bug 7532 - The security view of properties of a shared file or directory always has the user 'everyone',can not delete.
The security view of properties of a shared file or directory always has the ...
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: Domain Control
unspecified
All Windows XP
: P3 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-24 01:04 UTC by wenhai
Modified: 2010-06-25 15:32 UTC (History)
0 users

See Also:


Attachments
We have fixed the bug and test samba in AD domain.This fix based on samba 3.5.3,wish to be merged as soon as possible. (80.29 KB, patch)
2010-06-24 01:13 UTC, wenhai
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description wenhai 2010-06-24 01:04:56 UTC
OS: Windows XP,Windows 2003 server,Windows 2008 server as client.

samba share to the clients with administor ACL.

administor client can not delete the user "everyone" and user group "domain users",or "users",event if they all have NULL ACL.
Comment 1 wenhai 2010-06-24 01:13:55 UTC
Created attachment 5805 [details]
We have fixed the bug and test samba in AD domain.This fix based on samba 3.5.3,wish to be merged as soon as possible.

We have fixed the bug and test samba in AD domain.
this fix based on samba 3.5.3,wish to be merged as soon as possible.
Comment 2 Volker Lendecke 2010-06-24 02:19:11 UTC
One question:

What language and charset are your comments written in?

Thanks,

Volker
Comment 3 wenhai 2010-06-24 11:18:19 UTC
(In reply to comment #2)
> One question:
> What language and charset are your comments written in?
> Thanks,
> Volker

We come from China,comments written in simplified Chinese.
Comment 4 Volker Lendecke 2010-06-24 12:49:28 UTC
Can you re-submit with english comments, and as a diff?

Thanks,

Volker
Comment 5 Jeremy Allison 2010-06-24 13:01:24 UTC
I'm trying to understand exactly what you want and expect here. If you're mapping to underlying POSIX permissions, then not being able to delete group and everyone is by design. If you're using an underlying ACL store to store Windows ACLs, and you can't delete group and everyone, then that is a bug.

What is the underlying issue you're trying to correct ? Also seeing the change as a unified diff would really help.

Thanks,

Jeremy.
Comment 6 wenhai 2010-06-25 13:39:06 UTC
(In reply to comment #4)
> Can you re-submit with english comments, and as a diff?
> Thanks,
> Volker

My English is just so so.may not express myself exactly.
I'll have a try as you request.
Comment 7 wenhai 2010-06-25 13:46:43 UTC
(In reply to comment #5)
> I'm trying to understand exactly what you want and expect here. If you're
> mapping to underlying POSIX permissions, then not being able to delete group
> and everyone is by design. If you're using an underlying ACL store to store
> Windows ACLs, and you can't delete group and everyone, then that is a bug.
> What is the underlying issue you're trying to correct ? Also seeing the change
> as a unified diff would really help.
> Thanks,
> Jeremy.


We don't change the underlying,but just change the view of the client.

While the client want to see the security properties of a shared file or directory.If the 'everyone' user have no access right,they should not be seen at all.

So we make a filter function,those who have no access right ACE in the response DACL to client are filter out.
Comment 8 Jeremy Allison 2010-06-25 13:53:49 UTC
Ah, so this is simply an user visible modification. The correct way to do this is not to change the core Samba code, but to write a VFS module that hooks the two functions :

fget_nt_acl
get_nt_acl

to make the change you require. That way it's an optional feature you can load on any share you think requires it.

Jeremy.
Comment 9 wenhai 2010-06-25 14:02:05 UTC
(In reply to comment #8)
> Ah, so this is simply an user visible modification. The correct way to do this
> is not to change the core Samba code, but to write a VFS module that hooks the
> two functions :
> fget_nt_acl
> get_nt_acl
> to make the change you require. That way it's an optional feature you can load
> on any share you think requires it.
> Jeremy.

Thanks for your quick reply.
It's a good idea.
I am not familiar with VFS of samba yet.
Comment 10 wenhai 2010-06-25 14:10:14 UTC
It's 3 AM in my home,I have to go to sleep.
Thank you all!
Comment 11 wenhai 2010-06-25 15:29:05 UTC
(In reply to comment #8)
> Ah, so this is simply an user visible modification. The correct way to do this
> is not to change the core Samba code, but to write a VFS module that hooks the
> two functions :
> 
> fget_nt_acl
> get_nt_acl
> 
> to make the change you require. That way it's an optional feature you can load
> on any share you think requires it.
> 
> Jeremy.
> 

Both these two functions: fget_nt_acl / get_nt_acl
call get_nt_acl_internal
Is it better to change get_nt_acl_internal and make a filter in it?

Comment 12 Jeremy Allison 2010-06-25 15:32:00 UTC
No. What I'm saying is you need to write a filter VFS module, that hooks those two functions, calls the underlying VFS call (using the _NEXT method) and then filters the ACL returned based on your criteria. You will be writing new code, not changing any existing Samba code.

Jeremy.