Bug 8164 - ACLs - read/write permission become read only
ACLs - read/write permission become read only
Status: NEW
Product: Samba 3.2
Classification: Unclassified
Component: User & Group Accounts
3.2.5
x64 Linux
: P5 major
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-25 09:38 UTC by Axel Werner
Modified: 2011-06-16 13:17 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Axel Werner 2011-05-25 09:38:23 UTC
A few Days ago i posted this on the SAMBA Mailing list for further discussion. Since the responses been very rare and the resulting picture of this case didnt realy cleared up well i decided to report this as a bug in Samba 3.2.5 (BUT may also affect Samba 3.5.6 as reported by TAKAHASHI Motonobu <monyo@samba.gr.jp> )

IN SHORT:
- READ+WRITE becomes READ ONLY
- OWNER ACL Permissions for "another User" affects Group ACL Permissions


i recently figured some strange behaviour on our Debian 5 (Lenny, uname 2.6.26-2-686) + Samba 2:3.2.5-4lenny14 server that i would like to report here. I cannot tell apart if its a bug or just lack of understanding. But i think this not working as someone would expect from its configuration.

Here is the Scenario:

I got a samba shared Directory like this:

host:/someparentdirs/_AW_TEST# ls -lad .
d---rws---+ 3 root root 4096 2011-05-23 10:33 .
host:/someparentdirs/_AW_TEST#


host:/someparentdirs/_AW_TEST# getfacl .
# file: .
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
group:CCIGUESTS:rwx
mask::rwx
other::---
default:user::---
default:group::---
default:group:ALL:rwx
default:mask::rwx
default:other::---


As u can see the Group "ALL" is granted RWX. ANYTHING ELSE is been set to owner root.root with 000 Permissions.

This Directory contains several Files. a .txt a .doc and a .xls as u can see here:

host:/someparentdirs/_AW_TEST# ls -la
total 56
d---rws---+  3 root root  4096 2011-05-23 10:33 .
drwxrws---+ 32 root root  4096 2011-05-20 12:40 ..
----rwx---+  1 root root 13824 2011-05-20 16:15 excel1.xls
----rwx---+  1 root root    24 2011-05-20 16:15 file1.txt
----rwx---+  1 root root 24064 2011-05-20 16:15 word1.doc
host:/someparentdirs/_AW_TEST#


ACLs on those Files are set similar:

host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::---
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#



NOW a given Regular Windows-User "wernera" which is MEMBER OF "ALL" is supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At least i would expect that.

But Fact is, that in this configuration my user "wernera" can only access these Files "READ ONLY", independent of what Windows Application used. He will be able to creat new files and all. But those existing Files became READONLY for some reason.


IF i now change that ACLs to something like this (only the OWNERS Part changed) ...

host:/someparentdirs/_AW_TEST# getfacl file1.txt
# file: file1.txt
# owner: root
# group: root
user::rwx
group::---
group:ALL:rwx
mask::rwx
other::---
host:/someparentdirs/_AW_TEST#

... the hole Thing starts to work just as expected. Even though the "root" User should not matter here.


BTW: The User "wernera" as a regular User CAN write to those Files from the Linux Console (via ssh using vim or such for example) as i would expect. So it "looks like" a Samba only problem.



Any Ideas wtf is going on here ?????



Here are my Configs:


Kernel:

uname -r : 2.6.26-2-686
-------------------------

Samba:

dpkg -l |grep -i samba
samba                             2:3.2.5-4lenny14 samba-common                      2:3.2.5-4lenny14
samba-doc                         2:3.2.5-4lenny14 samba-doc-pdf                     2:3.2.5-4lenny14 smbldap-tools                     0.9.4-1 -------------------------


ACL Tools:

dpkg -l | grep -i acl
ii  acl                               2.2.47-2
ii  libacl1                           2.2.47-2

-------------------------
Samba Config:

grep -v -e '^[[:space:]]*#' -e '^$' /etc/samba/smb.conf

[global]
        domain logons = Yes
        domain master = auto
        workgroup = xxx
        server string =
        os level = 66
        dns proxy = No
        wins support = Yes
        panic action = /usr/share/samba/panic-action %d
        guest account = nobody
        socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
        passdb backend =
ldapsam:"ldap://localhost.domain.de"
        encrypt passwords = true
        obey pam restrictions = yes
        unix password sync = no
        check password script = /sbin/crackcheck -c -d
/var/cache/cracklib/cracklib_dict
        ldap suffix = dc=someou,dc=someou,dc=de
        ldap admin dn =
cn=admin,dc=someou,dc=someou,dc=de
        ldap group suffix = ou=groups
        ldap user suffix = ou=people
        ldap machine suffix = ou=people
        ldap idmap suffix = ou=idmap
        ldap passwd sync = no
        ldap ssl = start tls
        ldap delete dn = no
        add machine script = /usr/sbin/smbldap-useradd -t 0
-w "%u"
        debug pid = yes
        log level = 0 auth:3
        log file = /var/log/samba/samba.log
        max log size = 10000
        syslog only = yes
        syslog = 1000
        logon drive = h:
        logon home=\\host\%U
        logon script = scripts\logon.cmd
        logon path =
        show add printer wizard = no
        inherit acls = yes
        inherit owner = no
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %S
   create mask = 0600
   directory mask = 0700
[netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   admin users = root
   guest ok = yes
   browsable = yes
   writable = no
   write list = @itadmin, root, Administrator
[I]
   comment = Drive I
   path = /data1/I/
   browseable = yes
   writable = yes
   create mask = 0660
   directory mask = 0770

-------------------------





THANKS FOR ANY HELP!

Best regards
Axel Werner
Comment 1 Björn Jacke 2011-06-16 10:19:12 UTC
can you have a look if you still have the described isssues with 3.5.9 ?
Comment 2 Axel Werner 2011-06-16 13:17:46 UTC
(In reply to comment #1)
> can you have a look if you still have the described isssues with 3.5.9 ?

would love to, but sadly, no. ATM im not allowed to spend any further time into that. i just hoped that in the first step ill get an answer if this is a BUG or a feature. 

hopefully someone more experienced and better prepared can test this. 
best wishes
Axel