hi john, El Fri, 04 Apr 2008 09:12:38 -0400 John Drescher <[EMAIL PROTECTED]> ha escrit:
> On Fri, Apr 4, 2008 at 7:39 AM, toni <[EMAIL PROTECTED]> wrote: > > hi, > > > > i'm experiencing a strange behaviour when setting ACL from Windows > > XP clients (server is BDC with LDAP) after migrating service from > > SLES 9.3 to SLES 10.1: > > > > i can't set ACL to a folder to give access to individual users > > without allowing the group of the creator. step by step, i tried to > > remove group permissions (which worked fine) but, when i add > > permissions to other users, group permissions become effective for > > the group in the directory (but no in its subfolders) > > > > the correct behaviour is that i can allow access to several users > > without access for the group, and this was working after the > > migration. > > > > it could be a different ACL behaviour between SLES 9 (Samba > > 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba > > 3.0.28-0.2-1625-SUSE-CODE10)? > > > > how i can get ACL working if so? > > > > write list = @GROUP1 > > read list = @GROUP1 > > force group = GROUP1 > > valid users = @GROUP1, @"Domain Admins" > > It may be just my testing but I have found when you force things like > this (and don't just use the unix file system permissions to do the > same thing) the acls do not work as expected. i don't understand what you mean with "just use the unix file system permissions": # ls -l /data total 4 drwxrwx--- 6 root GROUP1_W 4096 Apr 4 15:20 test filesystem is ext3 (also tested with xfs with same result) with acl enabled (of course) more information, in some shares i'm using readonly and readwrite groups: write list = @GROUP1_W read list = @GROUP1_R force group = GROUP1_W valid users = @GROUP1_R, @GROUP1_W, @"Domain Admins" i need to use 'force group' to ensure that users in the same (readwrite) group get access to every file created by any other group member in the share. example of an operation: * create a folder inside this share (no ACL in the newly created folder) $ getfacl /data/test/folder # file: data/test/folder # owner: USER1 # group: GROUP1_W user::rwx group::rwx other::--- * remove group permissions via Windows XP ACL editor (must be done denying every Windows ACL for the group): $ getfacl /data/test/folder # file: data/test/folder # owner: USER1 # group: GROUP1_W user::rwx user:root:rwx group::--- mask::rwx other::--- default:user::rwx default:group::--- default:other::--- * add permissions for USER2: $ getfacl /data/test/folder # file: data/test/folder # owner: USER1 # group: GROUP1_W user::rwx user:root:rwx user:USER2:r-x group::rwx mask::rwx other::--- default:user::rwx default:user:USER2:r-x default:group::--- default:mask::rwx default:other::--- as you can see, group permissions 'come back' after adding permission for USER2! i recall this was working with samba on SLES 9.3, so i think it may be possible on a newer version of samba 3.0.20b (from SLES 9.3) thanks, toni > John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba