Bluehost.com Web Hosting $6.95

[Samba] Inherited ACLs can not be removed

This is a discussion on [Samba] Inherited ACLs can not be removed within the Samba forums, part of the Networking and Network Related category; Hi, I have a problem with the inheritance of ACLs, respectively the removal of the inherited ACLs in subdirectories. The ...


Go Back   Usenet Forums > Networking and Network Related > Samba

Reload this Page [Samba] Inherited ACLs can not be removed

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-12-2008
Andreas Büsching
 
Posts: n/a
Default [Samba] Inherited ACLs can not be removed
Hi,

I have a problem with the inheritance of ACLs, respectively the removal of the
inherited ACLs in subdirectories. The following szenario:

By default the access rights (including ACLs) should be inherited, but it
should also be possible to remove the access rights from any subdirectory.
Therefore I've set up the following configuration:

[Finanzen]
path = /shares/finanzen
msdfs root = no
writeable = yes
browseable = yes
public = no
create mode = 0744
directory mode = 0755
force create mode = 00
force directory mode = 00
security mask = 0777
directory security mask = 0777
force security mode = 00
force directory security mode = 00
locking = 1
blocking locks = 1
strict locking = 0
oplocks = 1
level2 oplocks = 1
fake oplocks = 0
csc policy = manual
nt acl support = 1
inherit acls = 1
inherit owner = no
inherit permissions = yes
dos filemode = no


root@qamaster:/shares# getfacl finanzen/
# file: finanzen
# owner: crunchy
# group: Share\040Admins
user::rwx
group::rwx
group:Domain\040Users:r--
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:Domain\040Users:r--
default:mask::rwx
default:other::---

The ACLs for Domain Users were set with a Windows client after that a
subdirectory TEST01 was created (BTW the group sticky bit is set):

root@qamaster:/shares# getfacl finanzen/TEST01/
# file: finanzen/TEST01
# owner: crunchy
# group: Share\040Admins
user::rwx
user:root:rwx
group::rwx
group:Domain\040Users:r--
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:Domain\040Users:r--
default:mask::rwx
default:other::---

When I try to remove the access rights for Domain Users on TEST01 (via
Properties->tab Security->button Advanced...) the following happens: clicking
the remove button results in the disappearance of the entry; as expected.
After clicking the apply button the entry is back again in the list.

It looks like 'inherit acls' does not allow removing the inherited access
rights on subdirectories.

When I remove the access to TEST01 for Domain Users with setfacl [-d] -x ...
(POSIX ACLs and Default POSIX ACLs) and add any other access right to the
directory via Windows the access rights for Domain Users are added again.

Has anyone an idea why this happens? Is there a mistake in my configuration?

If you need any further information just ask.

thanks in advance
Andreas

--
Andreas Büsching <buesching@univention.de> fon: +49 421 22 232- 0
Entwicklung Linux for Your Business
Univention GmbH http://www.univention.de/ fax: +49 421 22 232-99

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBIUTgNyqfTPDNdbs4RAgG1AKDMalkT8BRfrmUMi5GHcp fbd5FUEACfX8UL
m2lWxckXRwB7gVNZd3HW/Ho=
=8RcI
-----END PGP SIGNATURE-----

Reply With Quote
  #2 (permalink)  
Old 06-13-2008
Andreas Büsching
 
Posts: n/a
Default Re: [Samba] Inherited ACLs can not be removed
Hi,

I have more information about the problem:

a) It does not have to do anything with inheritance
b) adding ACLs works
c) removing ACLs does not work (with a 'real' Windows client)

I did the following test:

- access rights:
drwxrws--- 2 crunchy Share Admins 1024 2008-05-23 21:45 /shares/finanzen/

- add r-x rights for Domain Users with a Windows XP Client (logged in as
crunchy) -> works
- remove access rights for Domain Users -> does not work

I repeated the test with smbcacls:

- smbcacls -U crunchy -a ACL:Domain\
Users:ALLOWED/2/READ //qamaster/finanzen /

- smbcacls -U crunchy //qamaster/finanzen /
Password:
REVISION:1
OWNER:UNIVENTION+crunchy
GROUP:UNIVENTION+Share Admins
ACL:UNIVENTION+crunchy:ALLOWED/0/FULL
ACL:UNIVENTION+Domain Users:ALLOWED/0/READ
ACL:UNIVENTION+Share Admins:ALLOWED/0/FULL
ACL:+Everyone:ALLOWED/0/FULL

- smbcacls -U crunchy -D ACL:Domain\
Users:ALLOWED/0/READ //qamaster/finanzen /
Password:

- smbcacls -U crunchy //qamaster/finanzen /
Password:
REVISION:1
OWNER:UNIVENTION+crunchy
GROUP:UNIVENTION+Share Admins
ACL:UNIVENTION+crunchy:ALLOWED/0/FULL
ACL:UNIVENTION+Share Admins:ALLOWED/0/FULL
ACL:+Everyone:ALLOWED/0/FULL

With smbcacls it works, but not with the Windows XP Client. BTW I'm using
samba version 3.0.26a

any idea?

regards
Andreas

--
Andreas Büsching <buesching@univention.de> fon: +49 421 22 232- 0
Entwicklung Linux for Your Business
Univention GmbH http://www.univention.de/ fax: +49 421 22 232-99

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBIUnP6yqfTPDNdbs4RAjcLAKCLmA/M1Q6+dgg+kdFWumUeUp/TQQCgxxWD
Or8TIbwtG7JSXzVcaXtQx5o=
=VJw7
-----END PGP SIGNATURE-----

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 01:27 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0