POSIX ACL Bug Issue in Zentyal 4.1

[adhidash]

Hi i'm a user of Zentyal for this past 3 month,

Recently i've tried to change my POSIX ACL according to needs,
that are 3 folder : FolderA, FolderB, FolderC
and we have 3 user: userA (admin), user B, userC

For FolderA is set to public (rwx mode), so :
setfacl -Rm u:userA:rwx, u:userB:rwx, u:userC:rwx FolderA
and it running ok !

For FolderB is set to Private (rw- mode for userB, r-x mode for userC), so :
setfacl -Rm u:userA:rwx, u:userB:rw-, u:userC:r-x FolderB
and the problem begin

for userA can do read,write,execute, which is normal

for userB suppose to do read and write,
but when i check in Ubuntu client computer userB can only read and execute (no write !)

for userC suppose to do read and execute,
when i test it is normal

I try to replicate this issue in FolderC (restricted),
where userA have rwx, userB and userC have r-- only !
so :
setfacl -Rm user:userA:rwx, user:userB:r--, user:userC:r-- FolderC

then eventually the folder accessible for userA,
but for userB and userC can read and execute (but not write) !

Why?

after i check in Zentyal Server using getfacl FolderC,
the permission is correct that is :
# file: FolderC
# owner: administrator
# group: adm
user::rwx
user:administrator:rwx
user:userA:rwx
user:userB:r--
user:userC:r--
group::rwx
group:adm:rwx
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:user:userA:rwx
default:user:userB:r--
default:user:userC:r--
default:group::---
default:group:adm:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

I've follow others suggestion such as
https://forum.zentyal.org/index.php/topic,21392.msg82374.html

that is to uncomment "unmanaged_acls = yes" in the /etc/zentyal/samba.conf
But the problem remains !

Is there any solutions for this, could someone help me out here ?
I'll be very much appreciate this

[jbahillo]

Don't look at POSIX ACL's but to NTACL's which you can watch using samba-tool ntacl get /path/to/file

They are not easy to read so you will probably want to use parameter --as-sddl and read SDDL format doc

[adhidash]

Thanks for your response,

actually i would still need POSIX ACL because there is many folder in our server that need to sync along with its user/group accessibility, since we using CIFS for our mix client (Ubuntu and Windows)

so far i manage to create some kind of bash script to do this task automatically just by reading the database,
unfortunately either the parameter is incorrect or there is actually a bug that restrict me to write.

so yeah, will still waiting for an answer... 

[expertgeeks]

Did you manage to get this to work adhidash ? I had a problem where the files were copied directly into the shared folders

Code: [Select]

cp -R /source/folder /home/samba/share/folder and this stopped samba from being able to set the ACLs, resulting in lots of these sorts of errors in zentyal.log;

Code: [Select]

2015/08/24 15:03:46 ERROR> Samba.pm:1045 EBox::Samba::_postServiceHook - Error setting security descriptor on file <FILENAME>: Failed to open: NT_STATUS_ACCESS_DENIED at /usr/share/perl5/EBox/Samba.pm line 1043, <GEN0> line 2356.
I manually copied the ACLs from a working folder;

Code: [Select]

getfacl WORKING_FOLDER > acl
setfacl -M acl -R BROKEN_FOLDERto these broken folders but Zentyal kept logging the same errors when ticking/unticking 'Apply ACLs recursively' in the GUI.

I tried using samba-tool that you recommended jbahillo, but couldn't work out how to copy ACLs using

Code: [Select]

samba-tool ntaclThe man page for samba-tool ntacl is pretty enigmatic 

Unsatisfying fix was to copy the data out of the samba shared folder, chown source folder, delete source and then copy it back.. I'd like to learn how to properly fix ACLs in Zentyal from shell commands

[jbahillo]

Hello expertgeeks:

Perhaps this document may help you to understand SDDL syntax and how to build a SDDL string.
Particularly useful for learning is doing a samba-tool ntacl get <file> --as-sddl and check that you can understand it with the help of that document, and the relation of SID's (which you can build with sam.ldb and idmap.ldb)

Here's the doc:

http://www.netid.washington.edu/documentation/domains/sddl.aspx

[expertgeeks]

Thanks very much jbahillo, that's given me something to work on !

As I got your reply I came across this post showing how to copy ntacls to a file and then apply to folders.. but I'll look into this further. Cheers.

[jbahillo]

PLease keep in mind that samba-tool command is not recursive, and therefore, if you apply to a folder, it won't be applied to files inside it nor to subfolders inside it. Some time ago I had done a small script in python which allows to run samba-tool ntacl on every file under  a given path. You may find it on my personal blog here:

http://www.jbahillo.com/new-script-set-sysvol-perm/

[expertgeeks]

That's really helpful. Thanks!