Hi guys,
we are using samba 3.0.4 as domain member server (security=ADS) in our Active Directory Domain. In order not to compromise social peace, we use POSIX ACLs in conjunction with the hide unreadable option to hide folders/files from users.
I'll show you an example to explain the problem:
I'm the user "SCHARRNET+M006U122" (SCHARRNET=domain suffix). I'm connecting to a share (in our example Rechnungswesen) which contains 2 folders: Buchhaltung and Controlling
Here are the ACLs of these two folders:
# file: Controlling # owner: root # group: SCHARRNET+Dom�nen-Benutzer user::rwx user:SCHARRNET+Administrator:rwx group::--- group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Controlling:rwx mask::rwx other::--- default:user::rwx default:user:SCHARRNET+Administrator:rwx default:group::--- default:group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Controlling:rwx default:mask::rwx default:other::---
# file: Buchhaltung # owner: root # group: SCHARRNET+Dom�nen-Benutzer user::rwx user:SCHARRNET+Administrator:rwx user:SCHARRNET+m006u122:rwx group::--- group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Buchhaltung:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:SCHARRNET+Administrator:rwx default:user:SCHARRNET+m006u122:rwx default:group::--- default:group:SCHARRNET+Mandant 001 Scharr_Stuttgart_Buchhaltung:rwx default:mask::rwx default:other::---
Because I'm member of the group "SCHARRNET+Mandant 001 Scharr_Stuttgart_Controlling" i can see the folder Controlling. But i can't see the folder Buchhaltung although i have an entry in the ACL of this folder. If i disable hide unreadable, i can see and access the folder. Only domain member PCs are affected by this problem.
We've designed some workarounds to this problem:
1. Downgrade the domain membership from security=ADS to security=DOMAIN, then the ACLs work perfectly with the hide unreadable option.
2. Use the ip-address of the samba server instead of the hostname to connect from a domain member PC to the share (\\192.168.239.143\Rechnungswesen).
Here some information about our samba server:
OS: SuSE Linux Standard Server 8 (based on SLES8) / Kernel 2.4.21-138
Version samba: 3.0.4 (3.0.6 is affected too, we tested it)
Filesystem for data storage: XFS
smb.conf:
[global]
unix charset = ISO8859-15
display charset = ISO8859-15
workgroup = SCHARRNET
realm = SCHARRNET.DE
server string =
security = ADS
password server = maire.scharrnet.de, maitre.scharrnet.de
log level = 2
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
os level = 2
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /data/home/%U
winbind separator = +[Rechnungswesen]
comment = Abteilungslaufwerk Rechnungswesen auf %L
path = /data/abt/Rechnungswesen
read only = No
create mask = 0660
directory mask = 0770
hide unreadable = Yes
browseable = No
volume = DATA
dos filetimes = Yes
dos filetime resolution = Yes
fake directory create times = YesThis seems to be a real bug, isn't it?
Regards
Thorsten
-- Thorsten Leiser IT-Systembetreuung FRIEDRICH SCHARR KG Liebknechtstrasse 50 70565 Stuttgart-Vaihingen
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
