Hello Dale,
thanks for feedback but I already know these lines. When "vfs object =
acl_xattr" is used, "inheric acls" automatically is enabled.
"Inherit owner" is not relevant in this context, and "inherit permissions" is
also not affectin this issue. I have tested the same share settings on a samba4
server, and there it works as expected without any issue. So my conclusion is,
that something is weird in samba 3.5.6 on this context.
Lucas.
Втр 21 Май 2013 21:33:42 +0400, Dale Schroeder написал:
For your situation, would some
combination of the "inherit" parameters shown below work better
for you than the mode/mask parameters?
Dale
inherit acls (S)
This parameter can be used to ensure that if default acls
exist on parent directories, they are always honored when
creating a new file or subdirectory in these parent
directories. The default behavior is to use the unix mode
specified when creating the directory. Enabling this
option sets the unix mode to 0777, thus guaranteeing that
default directory acls are propagated. Note that using the
VFS modules acl_xattr or acl_tdb which store native
Windows as meta-data will automatically turn this option
on for any share for which they are loaded, as they
require this option to emulate Windows ACLs correctly.
Default: inherit acls = no
inherit owner (S)
The ownership of new files and directories is normally
governed by effective uid of the connected user. This
option allows the Samba administrator to specify that
the ownership for new files and directories should be
controlled by the ownership of the parent directory.
Common scenarios where this behavior is useful is in
implementing drop-boxes where users can create and edit
files but not delete them and to ensure that newly
create files in a user's roaming profile directory are
actually owner by the user.
Default: inherit owner
= no
inherit permissions (S)
The permissions on new files and directories are
normally governed by create mask, directory mask, force create
mode and force directory mode but the boolean
inherit permissions parameter overrides this.
New directories inherit the mode of the parent
directory, including bits such as setgid.
New files inherit their read/write bits from the
parent directory. Their execute bits continue to be
determined by map archive, map hidden and map system as usual.
Note that the setuid bit is never
set via inheritance (the code explicitly prohibits
this).
This can be particularly useful on large systems with
many users, perhaps several thousand, to allow a single
[homes] share to be used flexibly by each user.
Default: inherit permissions
= no
On 05/20/2013 3:24 PM, ?icro MEGAS wrote:
That was a type error in my previous post, the line in my smb.conf is of course:
read onlyXSSCleaned= No
Вск 19 Май 2013 14:58:39 +0400, ?icro MEGAS написал:
Hello folks,
Samba 3.5.6 running and I have following share:
[public]
path = /data/public
read onlyXSSCleanedXSSCleaned= No
create mask = 0777
directory mask = 0777
directory security mask = 0750
vfs object = acl_xattr
nt acl support = yes
dos filemode = yes
My filesystem ext4 which is mounted to /data supports acl,user_xattr and
setfacl/getfacl works fine.
ls -ld /data/public shows unix mode 0755 with owner=admin and group="Domain
Users"
All users have full access to the share \\samba\public and therefore are
allowed to create,modify,delete directories and files. My aim is that I want to
have a directory called "special" which is in /data/public/special. Only
restricted users and groups are allowed full access to this directory, the
"Domain Users" should only be able to have read/execute rights, but no
write/delete rights on this directory+subdirs.
"/data/public" has no ACL set. Here's an output of my ACL I have set manually
with setfacl on this "special" directory. Only user "john" and "doe" and group
"foobar" have full access to this "special" directory, and "Domain Users" or
other should only have read rights.
root@samba:/data/public# getfacl special
# file: special/
# owner: admin
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::r-x
group:foobar:rwx
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---
When user "john", "doe" or anyone of group "foobar" creates a new directory
inside the special dir, it has following modes:
root@samba:/data/public/special ls -l
drwxrwx-wx+ 2 john Domain Users 4096 19. Mai 12:43 newdir
==> This corresponds to unix mode 0773.
The ACL mode looks like that:
# file: newdir
# owner: john
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::rwx
group:foobar:rwx
mask::rwx
other::-wx
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---
==> This corresponds to ACL security mode 0773.
Where does this strange 0773 come from? I would like to have ACL security mode
0750 on all new directories and files created inside "special" directory. I
also have tried to use "force directory security mode = 0750" in my smb.conf
but that doesn't help either. I have realized another odd behaviour, too:
when user "john", "doe", or anyone of group "foobar" creates a new directory
and DON'T name it, it will be called "New Directory". This directory has
following ACLs:
root@samba:/data/public/special# getfacl New\ Directory
# file: New Directory
# owner: john
# group: Domain\040Users
user::rwx
user:john:rwx
user:doe:rwx
group::r-x
group:foobar:rwx
mask::rwx
other::---
default:user::rwx
default:user:john:rwx
default:user:doe:rwx
default:group::r-x
default:group:foobar:rwx
default:mask::rwx
default:other::---
This would be the correct ACL I want to have to, it corresponds to 0750. But
why does this be applied only, if a new directory is created through windows
and not renamed to something else than the default directory name "New
Directory" ? I don't understand that. Please anyone tell me how to set
correctly ACL mode 0750 for all the new dirs/files inside my special dir.
Any help appreciated. Thanks a lot in advance.
Lucas.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
