[Pkg-samba-maint] Bug#620254: Directory ACLs can't be set from Windows.

Adam Buchbinder adam.buchbinder at gmail.com
Thu Mar 31 15:29:54 UTC 2011

Package: samba
Version: 2:3.5.6~dfsg-3squeeze2
Severity: normal

I've set up a share with ACLs enabled (the filesystem has options 'acl'
and 'user_xattr' enabled). From a Windows (XP SP3) machine accessing the
share, I can edit permissions on files, but directory permissions are
odd. There are 'CREATOR OWNER' and 'CREATOR GROUP' ACL entries appearing
in addition to the actual owner and group entries, which show up by
name. Attempting to edit the ACLs on a directory from the Security tab
on the properties dialog yields a "the parameter is invalid" error.

There are two upstream bugzilla entries which look relevant, one of
which has a patch.


Much more detail is available on the mailing list, here; the code which
translates POSIX ACLs into NT-style ones generates invalid code for
directories, which is why Windows can't set them properly.


The upstream patch fixes that particular issue, but I'm not sure it does
so in the exact right way; there are other issues with ACLs on
directories, and I don't know whether they're part of the same problem
or not. For instance, the 'CREATOR OWNER' ACE applies to 'Subfolders and
files only', while the ACE with the actual username on it applies to
'This folder only'. Even if I'm in a group that (via an ACE) has full
access, I can't change permissions on the directory unless I actually
take ownership of it first (which I *can* do via the Security tab).

Regardless of the rest of the issues, the upstream patch should at least
be tested. I added it to 2:3.5.6~dfsg-3squeeze2, and I can at least edit
(some) directory ACLs in some ways, which is a distinct improvement over
the current situation.

Please let me know if there's any sort of testing I can do to help work
this out.

Adam Buchbinder

More information about the Pkg-samba-maint mailing list