A few Days ago i posted this on the SAMBA Mailing list for further discussion. Since the responses been very rare and the resulting picture of this case didnt realy cleared up well i decided to report this as a bug in Samba 3.2.5 (BUT may also affect Samba 3.5.6 as reported by TAKAHASHI Motonobu <monyo@samba.gr.jp> ) IN SHORT: - READ+WRITE becomes READ ONLY - OWNER ACL Permissions for "another User" affects Group ACL Permissions i recently figured some strange behaviour on our Debian 5 (Lenny, uname 2.6.26-2-686) + Samba 2:3.2.5-4lenny14 server that i would like to report here. I cannot tell apart if its a bug or just lack of understanding. But i think this not working as someone would expect from its configuration. Here is the Scenario: I got a samba shared Directory like this: host:/someparentdirs/_AW_TEST# ls -lad . d---rws---+ 3 root root 4096 2011-05-23 10:33 . host:/someparentdirs/_AW_TEST# host:/someparentdirs/_AW_TEST# getfacl . # file: . # owner: root # group: root user::--- group::--- group:ALL:rwx group:CCIGUESTS:rwx mask::rwx other::--- default:user::--- default:group::--- default:group:ALL:rwx default:mask::rwx default:other::--- As u can see the Group "ALL" is granted RWX. ANYTHING ELSE is been set to owner root.root with 000 Permissions. This Directory contains several Files. a .txt a .doc and a .xls as u can see here: host:/someparentdirs/_AW_TEST# ls -la total 56 d---rws---+ 3 root root 4096 2011-05-23 10:33 . drwxrws---+ 32 root root 4096 2011-05-20 12:40 .. ----rwx---+ 1 root root 13824 2011-05-20 16:15 excel1.xls ----rwx---+ 1 root root 24 2011-05-20 16:15 file1.txt ----rwx---+ 1 root root 24064 2011-05-20 16:15 word1.doc host:/someparentdirs/_AW_TEST# ACLs on those Files are set similar: host:/someparentdirs/_AW_TEST# getfacl file1.txt # file: file1.txt # owner: root # group: root user::--- group::--- group:ALL:rwx mask::rwx other::--- host:/someparentdirs/_AW_TEST# NOW a given Regular Windows-User "wernera" which is MEMBER OF "ALL" is supposed to have READ-/WRITE PERSMISSIONS on those Files, right?? At least i would expect that. But Fact is, that in this configuration my user "wernera" can only access these Files "READ ONLY", independent of what Windows Application used. He will be able to creat new files and all. But those existing Files became READONLY for some reason. IF i now change that ACLs to something like this (only the OWNERS Part changed) ... host:/someparentdirs/_AW_TEST# getfacl file1.txt # file: file1.txt # owner: root # group: root user::rwx group::--- group:ALL:rwx mask::rwx other::--- host:/someparentdirs/_AW_TEST# ... the hole Thing starts to work just as expected. Even though the "root" User should not matter here. BTW: The User "wernera" as a regular User CAN write to those Files from the Linux Console (via ssh using vim or such for example) as i would expect. So it "looks like" a Samba only problem. Any Ideas wtf is going on here ????? Here are my Configs: Kernel: uname -r : 2.6.26-2-686 ------------------------- Samba: dpkg -l |grep -i samba samba 2:3.2.5-4lenny14 samba-common 2:3.2.5-4lenny14 samba-doc 2:3.2.5-4lenny14 samba-doc-pdf 2:3.2.5-4lenny14 smbldap-tools 0.9.4-1 ------------------------- ACL Tools: dpkg -l | grep -i acl ii acl 2.2.47-2 ii libacl1 2.2.47-2 ------------------------- Samba Config: grep -v -e '^[[:space:]]*#' -e '^$' /etc/samba/smb.conf [global] domain logons = Yes domain master = auto workgroup = xxx server string = os level = 66 dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d guest account = nobody socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 passdb backend = ldapsam:"ldap://localhost.domain.de" encrypt passwords = true obey pam restrictions = yes unix password sync = no check password script = /sbin/crackcheck -c -d /var/cache/cracklib/cracklib_dict ldap suffix = dc=someou,dc=someou,dc=de ldap admin dn = cn=admin,dc=someou,dc=someou,dc=de ldap group suffix = ou=groups ldap user suffix = ou=people ldap machine suffix = ou=people ldap idmap suffix = ou=idmap ldap passwd sync = no ldap ssl = start tls ldap delete dn = no add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" debug pid = yes log level = 0 auth:3 log file = /var/log/samba/samba.log max log size = 10000 syslog only = yes syslog = 1000 logon drive = h: logon home=\\host\%U logon script = scripts\logon.cmd logon path = show add printer wizard = no inherit acls = yes inherit owner = no [homes] comment = Home Directories browseable = no writable = yes valid users = %S create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /home/netlogon admin users = root guest ok = yes browsable = yes writable = no write list = @itadmin, root, Administrator [I] comment = Drive I path = /data1/I/ browseable = yes writable = yes create mask = 0660 directory mask = 0770 ------------------------- THANKS FOR ANY HELP! Best regards Axel Werner
can you have a look if you still have the described isssues with 3.5.9 ?
(In reply to comment #1) > can you have a look if you still have the described isssues with 3.5.9 ? would love to, but sadly, no. ATM im not allowed to spend any further time into that. i just hoped that in the first step ill get an answer if this is a BUG or a feature. hopefully someone more experienced and better prepared can test this. best wishes Axel