OS: Windows XP,Windows 2003 server,Windows 2008 server as client. samba share to the clients with administor ACL. administor client can not delete the user "everyone" and user group "domain users",or "users",event if they all have NULL ACL.
Created attachment 5805 [details] We have fixed the bug and test samba in AD domain.This fix based on samba 3.5.3,wish to be merged as soon as possible. We have fixed the bug and test samba in AD domain. this fix based on samba 3.5.3,wish to be merged as soon as possible.
One question: What language and charset are your comments written in? Thanks, Volker
(In reply to comment #2) > One question: > What language and charset are your comments written in? > Thanks, > Volker We come from China,comments written in simplified Chinese.
Can you re-submit with english comments, and as a diff? Thanks, Volker
I'm trying to understand exactly what you want and expect here. If you're mapping to underlying POSIX permissions, then not being able to delete group and everyone is by design. If you're using an underlying ACL store to store Windows ACLs, and you can't delete group and everyone, then that is a bug. What is the underlying issue you're trying to correct ? Also seeing the change as a unified diff would really help. Thanks, Jeremy.
(In reply to comment #4) > Can you re-submit with english comments, and as a diff? > Thanks, > Volker My English is just so so.may not express myself exactly. I'll have a try as you request.
(In reply to comment #5) > I'm trying to understand exactly what you want and expect here. If you're > mapping to underlying POSIX permissions, then not being able to delete group > and everyone is by design. If you're using an underlying ACL store to store > Windows ACLs, and you can't delete group and everyone, then that is a bug. > What is the underlying issue you're trying to correct ? Also seeing the change > as a unified diff would really help. > Thanks, > Jeremy. We don't change the underlying,but just change the view of the client. While the client want to see the security properties of a shared file or directory.If the 'everyone' user have no access right,they should not be seen at all. So we make a filter function,those who have no access right ACE in the response DACL to client are filter out.
Ah, so this is simply an user visible modification. The correct way to do this is not to change the core Samba code, but to write a VFS module that hooks the two functions : fget_nt_acl get_nt_acl to make the change you require. That way it's an optional feature you can load on any share you think requires it. Jeremy.
(In reply to comment #8) > Ah, so this is simply an user visible modification. The correct way to do this > is not to change the core Samba code, but to write a VFS module that hooks the > two functions : > fget_nt_acl > get_nt_acl > to make the change you require. That way it's an optional feature you can load > on any share you think requires it. > Jeremy. Thanks for your quick reply. It's a good idea. I am not familiar with VFS of samba yet.
It's 3 AM in my home,I have to go to sleep. Thank you all!
(In reply to comment #8) > Ah, so this is simply an user visible modification. The correct way to do this > is not to change the core Samba code, but to write a VFS module that hooks the > two functions : > > fget_nt_acl > get_nt_acl > > to make the change you require. That way it's an optional feature you can load > on any share you think requires it. > > Jeremy. > Both these two functions: fget_nt_acl / get_nt_acl call get_nt_acl_internal Is it better to change get_nt_acl_internal and make a filter in it?
No. What I'm saying is you need to write a filter VFS module, that hooks those two functions, calls the underlying VFS call (using the _NEXT method) and then filters the ACL returned based on your criteria. You will be writing new code, not changing any existing Samba code. Jeremy.
you might want to use acl_xattr also, which permits to delete the everyone ACE, with filesystem based ACLs everyone comes in via the traditional unix permissions