Bug 1005559

Summary: Samba treats delete permissions differently than Windows ACLs
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Lalatendu Mohanty <lmohanty>
Component: sambaAssignee: Jose A. Rivera <jarrpa>
Status: CLOSED EOL QA Contact: Lalatendu Mohanty <lmohanty>
Severity: medium Docs Contact:
Priority: high    
Version: 2.1CC: dpal, rjoseph, sbhaloth
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ntacl
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-03 17:13:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lalatendu Mohanty 2013-09-08 11:38:07 UTC 
Description of problem:

Samba treats delete permissions differently than Windows ACLs.

In Windows:

You can give an user group "read", "list folder contents" and "read & execute" + "delete subfolders and files", "delete" on a directory and  any user in the user group  can delete files and sub folders inside the directory.

But the same is not applicable for samba shares of XFS or glusterfs. With the above permissions on a samba share, the effective permission becomes "read", "list folder contents" and "read & execute". 

The current ACL implementation for samba+glusterfs, does not give delete permission to a user/group without write + modify permission or full control which may be correct from posix point of view but not from Windows ACL point of view 

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:

You can give an user group (e.g. ug1) "read, list folder contents and read & execute" + "delete subfolders and files, delete" on a directory and  

1. Mount a samba share on a win7 client
2. As User1, create a directory and a file inside it.
3. As User1  give "read, list folder contents and read & execute" + "delete subfolders and files, delete" to User2/Usergroup2.

4. As User2 try to delete the file.

Actual results:

It don't give permission to delete the file

Expected results:

It should allow deletion of file

Additional info:

[root@bvt-rhs1 cifs]# rpm -qa | grep 'samba\|glusterfs'
samba-doc-3.6.9-160.3.el6rhs.x86_64
glusterfs-fuse-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-api-3.4.0.32rhs-1.el6rhs.x86_64
samba-winbind-3.6.9-160.3.el6rhs.x86_64
samba-glusterfs-3.6.9-160.3.el6rhs.x86_64
glusterfs-3.4.0.32rhs-1.el6rhs.x86_64
samba-swat-3.6.9-160.3.el6rhs.x86_64
samba-winbind-krb5-locator-3.6.9-160.3.el6rhs.x86_64
samba-domainjoin-gui-3.6.9-160.3.el6rhs.x86_64
glusterfs-geo-replication-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-rdma-3.4.0.32rhs-1.el6rhs.x86_64
samba-common-3.6.9-160.3.el6rhs.x86_64
samba-3.6.9-160.3.el6rhs.x86_64
samba-client-3.6.9-160.3.el6rhs.x86_64
samba-winbind-devel-3.6.9-160.3.el6rhs.x86_64
glusterfs-libs-3.4.0.32rhs-1.el6rhs.x86_64
glusterfs-server-3.4.0.32rhs-1.el6rhs.x86_64
samba4-libs-4.0.0-55.el6.rc4.x86_64
samba-winbind-clients-3.6.9-160.3.el6rhs.x86_64
Comment 2 Christopher R. Hertel 2013-10-02 19:08:52 UTC 
This may be due to the translation between NTFS and POSIX ACLs.  This should be tested again when the vfs_acl_xattr module is loaded to see if the behavior changes.  Conversion from NTFS ACLs to POSIX and back again will cause a loss of ACL information.
Comment 3 Ira Cooper 2014-09-03 12:39:18 UTC 
We're working on upgrading samba, assigning to Jose as part of that project, may be reassigned.
Comment 4 Vivek Agarwal 2015-12-03 17:13:12 UTC 
Thank you for submitting this issue for consideration in Red Hat Gluster Storage. The release for which you requested us to review, is now End of Life. Please See https://access.redhat.com/support/policy/updates/rhs/

If you can reproduce this bug against a currently maintained version of Red Hat Gluster Storage, please feel free to file a new report against the current release.