According to the smb.conf man page, the "dos filemode" parameter will allow a
user who is not the owner of a file to affect permissions changes on a file or
folder provided he has write access to that object. This does not appear to be
the case. Users with write access via user or group ACEs receive an "Access
denied" error when attempting to make ACL changes via windows, accompanaied by
an "operation not permitted" error in the client's log file on the file server.
Example
Share "testshare" is created with the following entry in the smb.conf:
[testshare]
comment = test share
path = /export/data/testshare
read only = no
store dos attributes = yes
dos filemode = yes
An empty folder called test is created and the following ACL is applied :
# file: test
# owner: daniel
# group: sys
user::rwx
user:scott:rwx
user:daniel:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:scott:rwx
default:user:daniel:rwx
default:group::rwx
default:group:sys:rwx
default:mask::rwx
default:other::---
User daniel (the folder's owner) has write access to the folder and can modify
the ACL. User scott also has write access to the folder due to his entry in
the ACL. He can write to the folder, but cannot modify the ACL or alter any
individual ACEs. This is the same behavior seen with the "dos filemode"
parameter disabled. I've also tried opening up the permissions completely by
chmod'ing the directory to 0777 and adjusting the ACL with no positive effect.
In all cases, only the owner can adjust the ACL.
Here's an example of the error in the client log (log level 10)
[2005/11/09 09:53:55, 2] smbd/posix_acls.c:set_canon_ace_list(2486)
set_canon_ace_list: sys_acl_set_file type file failed for file test
(Operation not permitted).
[2005/11/09 09:53:55, 3] smbd/posix_acls.c:set_nt_acl(3205)
set_nt_acl: failed to set file acl on file test (Operation not permitted).
[2005/11/09 09:53:55, 3] smbd/error.c:error_packet(147)
error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
I've also noticed that read-only flag is "half checked" (the in-between state
of a tri-mode flag) on the folder (in the properties dialog,) indicating that
some of the items underneath are read only and some are not. How can this be,
since the folder is empty? Changing this flag, either as user daniel or scott,
does not have any permanent effect, though user scott does NOT receive an
access denied message when he attempts to change it.
acls and user_xattrs are set in the fstab and have been tested, and ldd run on
smbd reveals that libacl and libattr have been compiled in. All test systems
were members of an AD domain but joined as pre-win2k clients. The smb.conf is
included below.
I've seen the described behavior on the following configurations :
Kernel Samba Rev. Filesystem
Linux 2.6.5 (x86_64) 3.0.14a ReiserFS
Linux 2.6.5 (x86_64) 3.0.9 ReiserFS
Linux 2.6.5 (i386) 3.0.14a ReiserFS
Linux 2.6.5 (i386) 3.0.20b ext3
Any thoughts?
Thanks,
Scott F. Crosby
[global]
workgroup = ADDOMAIN
server string = Test Samba Server
map to guest = Bad User
host msdfs = yes
smb passwd file = /etc/samba/smbpasswd
security = domain
encrypt passwords = yes
#password server = *
password server = 192.168.100.10 192.168.100.11
wins server = 192.168.100.10 192.168.100.11
log file = /var/log/samba/log.%m
log level = 3
max log size = 4096
local master = no
dns proxy = no
load printers = yes
printing = cups
printcap name = cups
printer admin = @domadmin
[print$]
comment = Printer Drivers
path = /etc/samba/drivers
browseable = yes
guest ok = yes
read only = yes
write list = @domadmin
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[test]
comment = test
path = /export/data/test
read only = no
store dos attributes = yes
dos filemode = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
