Samba / Windows ACL mapping problem.

[Geoff]

I'm having fun trying to setup my ACLs here so that they do what I want. Currently I'm doing the ACLs for the staff area.

The filesystem has EA/ACL support (it's jfs). The following samba global settings are enabled:

Code:

# Enable ACLs

  inherit permissions = yes
  inherit owner = yes
  map acl inherit = yes
  nt acl support = yes
  ea support = yes
  store dos attributes = yes

The share is setup as follows:

Code:

[staff$]
   comment = Staff Share
   read only = no
   path = /home/staff
   guest ok = no
   hide unreadable = yes
   admin users = @"domain admins", administrator
   hide files = /*quota.*/
   veto files = /*.bat/*.cmd/*.com/*.exe/*.vbs/*.msi/*.pif/*.reg/
   vfs objects = default_quota

I want the following setup:

all_staff has read access /home/staff (and is group owner) and r/w to /home/staff/* (and is group owner)
<username> has r/w to /home/staff/<username> and owns the directory (for quotas)
root,administrator and domain admins have full rights to /home/staff

I concocted the following script to set the permissions:

Code:

cd /home/staff

#*nix permissions
chown administrator:all_staff .
chmod  740 .
ls -l | grep "^d" | awk -F" " '{print "chown -v -R "tolower($9)" "$9}' | sh
ls -l | grep "^d" | awk -F" " '{print "chgrp -v -R all_staff "$9}' | sh
ls -l | grep "^d" | awk -F" " '{print "chmod -v -R 660 "$8}' | sh

#Extended ACLs
setfacl -R -b .
setfacl -R -m u:administrator:rwx .
setfacl -R -m g:"domain admins":rwx .
setfacl -R -m u:root:rwx .

However, when users browse their my documents they cannot see their files. Inspecting the ACLs from Windows reveals that users have no right to delete or directory traversal. What have I missed?

[Ric_]

Because Windows uses the x bit for directory traversal, don't you need to chmod to 670? I know you mentioned something in the chat about it breaking Samba security mind.

Are you not able to stick full control for an admin on the folder and then alter the permissions from a Windows machine?

[Geoff]

Quote:

Originally Posted by Ric_

Because Windows uses the x bit for directory traversal, don't you need to chmod to 670? I know you mentioned something in the chat about it breaking Samba security mind.

My understanding is that samba maps execute to full control?

Quote:

Are you not able to stick full control for an admin on the folder and then alter the permissions from a Windows machine?

No, any attempt to alter the permissions from the windows side gets me a permission denied error. I have no idea why, as Administrator/Domain Admins are listed as having full control...

[CyberNerd]

Code:

ls -l | grep "^d" | awk -F" " '{print "chmod -v -R 660 "$8}' | sh

660 Denies the user execute permissions on the directory, does this then get inherited? try 770

[Geoff]

If I set execute permissions, as I explained above, it means they get full control and can start fiddling with the ACLs.

[CyberNerd]

I see, I figured the nt mapping was done to an acl, rather than the unix rwx bits.

[Geoff]

I'm going to set:

Code:

acl map full control = no

and see if that helps.

[solemnwarning]

The problem with not giving them the exec bit is that under UNIX systems permission to read the contents of a directory is granted by the exec bit for some reason, so no exec permission = can't read dir.