[Pkg-samba-maint] Bug#567095: Samba does not correctly set named ACL for owning group and user

Marco Gaiarin gaio at sv.lnf.it
Wed Jan 27 09:48:46 UTC 2010 

Package: samba
Version: 2:3.2.5-4lenny6
Severity: grave


I'm using a plain lenny, fresh updated, standard kernel on amd64 (but i
think that does not care).

After upgrading from etch to lenny i've found many complain about my
user that file was not more accessible, particulary on complex shares
where more that one group have to read and write file.

I'm using a samba in a domain as PDC, with a share:

 [Users]
	comment = Spazio Utente
	path = /srv/users
	read only = No
	inherit permissions = Yes
	inherit acls = Yes
	map acl inherit = Yes
	store dos attributes = Yes
	volume = Users
	dos filemode = Yes

in etch (samba 3.0.24) if i set ACL for a folder, the owning user and
group (the unix one) are duped as default 'named' ACL:

 mouse:/srv/users/Prova# getfacl .
 # file: .
 # owner: root
 # group: SANVITO\134ced
 user::rwx
 group::rwx
 group:labinfo:rwx
 group:SANVITO\134centralino:rwx
 mask::rwx
 other::---
 default:user::rwx
 default:group::---
 default:group:labinfo:rwx
 default:group:SANVITO\134ced:rwx
 default:group:SANVITO\134centralino:rwx
 default:mask::rwx
 default:other::---

note that the folder are owned by 'SANVITO\134ced' and there's a
default named ACL for 'SANVITO\134ced', the row
'default:group:SANVITO\134ced:rwx'; can be obtained easily using
'folder, subfolders and files' as ACL scope in windows explorer.

In lenny's samba, instead, there's no such entry, so ACL are:

 neuromante:/srv/users/Prova# getfacl .
 # file: .
 # owner: root
 # group: ced
 user::rwx
 group::rwx
 group:centrali:rwx
 mask::rwx
 other::---
 default:user::rwx
 default:group::rwx
 default:group:centrali:rwx
 default:mask::rwx
 default:other::---

Note that there's a (unnamed) default acl entry of 'default:group::rwx'
but no default named ac entry like 'default:group:ced:rwx' for the
owning group 'ced'.
In this way every file created into this forder by an user in
'centralino' group get owned by 'centralino' and the 'ced' acl are not
propagated.
More, if in windows explorer i try to force the acl for 'ced' to
'folder, subfolders and files' there's no way to set them, are no
applied.


After some test, some questions on samba italian lists, some google and
digging expecially on debian and samba BTS, it seems that the trouble
was identified and fixed in lates 3.4 and 3.5 version, see:

	https://bugzilla.samba.org/show_bug.cgi?id=6878

This bug speaks about users, not group, but it's the same...


I'm staring to code a simple script to run at night that will add a
'named default acl' for every folder as a temporary countermeasure, but
this seems really a grave functionality bugs and i hope debian samba
team will backport and apply the fix to 3.2.

Many thanks.

More information about the Pkg-samba-maint mailing list