samba - Jul 2011 - Help! permission denied when accessing folder

Hi all,

Running samba 3.5.5 in a Solaris non-global zone. I have created a folder
(StudentJobApplications) on a share  which I want to make accessible only to
members of a Unix group (studempl). I have added myself to the group but when I
or other group members try to access the folder via Windows Explorer I get the
following:

I:\StudentJobApplications is not accessible
Access is denied

Here are some of the particulars:

The folder:
# ls -ld /departments/common/StudentJobApplications
drwxrwx---   2 root     studemp        2 Jul 11 08:34
/departments/common/StudentJobApplications

The group (etc/group):
studempl::2018:mylogin,otheruserlogin.....

The share definition in smb.conf:

# --------------------------------------
# shared directory for ALL staff
# --------------------------------------
[libshare]
   comment     = Library staff shared directory
   path        = /<path>
   browseable  = yes
   writeable   = yes
   create mask = 0777
   force create mode = 0777
   directory mask = 0777
   valid users = +group1 +group2 +group3 +group4 +group 5 +group6 +group7
+group8............+group17 +studempl
   invalid users = +circdesk

Note: I am a member of one of the groups defined in valid users above.

I have not restarted the samba server but I don't think that would be
necessary.

Actually I would like to set the permissions on the folder to be -rwxrws--- but
just being able to access it would be a start. I would appreciate ang comments
or suggestions.

Thank you.

~~~~~~~~~~~~~~~~~~~~~~~~
Daulton Theodore
Carleton University
Library, Systems Department
Vmail: (613) 520-2600, ext. 8352

Group ownership shows to be "studemp", but you are giving share 
permissions to "studempl".
Is that a typo, or is that the source of your problem?

Dale


On 07/11/2011 11:15 AM, Daulton_Theodore wrote:
> Hi all,
>
> Running samba 3.5.5 in a Solaris non-global zone. I have created a folder
(StudentJobApplications) on a share  which I want to make accessible only to
members of a Unix group (studempl). I have added myself to the group but when I
or other group members try to access the folder via Windows Explorer I get the
following:
>
> I:\StudentJobApplications is not accessible
> Access is denied
>
> Here are some of the particulars:
>
> The folder:
> # ls -ld /departments/common/StudentJobApplications
> drwxrwx---   2 root     studemp        2 Jul 11 08:34
/departments/common/StudentJobApplications
>
> The group (etc/group):
> studempl::2018:mylogin,otheruserlogin.....
>
> The share definition in smb.conf:
>
> # --------------------------------------
> # shared directory for ALL staff
> # --------------------------------------
> [libshare]
>     comment     = Library staff shared directory
>     path        = /<path>
>     browseable  = yes
>     writeable   = yes
>     create mask = 0777
>     force create mode = 0777
>     directory mask = 0777
>     valid users = +group1 +group2 +group3 +group4 +group 5 +group6 +group7
+group8............+group17 +studempl
>     invalid users = +circdesk
>
> Note: I am a member of one of the groups defined in valid users above.
>
> I have not restarted the samba server but I don't think that would be
necessary.
>
> Actually I would like to set the permissions on the folder to be -rwxrws---
but just being able to access it would be a start. I would appreciate ang
comments or suggestions.
>
> Thank you.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
> Daulton Theodore
> Carleton University
> Library, Systems Department
> Vmail: (613) 520-2600, ext. 8352
>

I would guess this is ZFS?

I think the problem occurs when samba+zfs interprets unix "no rights 
granted to the world (other)" as "deny everyone" in windows.

For example, if you have a with unix perms of 770 -  this means on the 
unix level that the user and group have full permissions, no rights are 
assigned to "other", and therefore if you are the user (owner) or
group
you have rights,  otherwise you don't.  The permissions are additive and 
omitting any permissions for "other" is not explicitly an access
entry.

In Samba, this gets interpreted as "everyone is denied"-  and even 
though windows permissions are generally additive, denies trump 
allows.    The owner of the file can usually go into the advanced 
windows permissions and clear the deny entries.

Root can also reset permissions as follows:


     chmod -R A- thedirectory
     chmod -R A=owner@:rwxpdDaARWcCos:allow ?thedirectory
     chmod -R A+group@:rwxpdDaARWcCos:allow ?thedirectory
     chmod -R A+someothergroup@:rwxpdDaARWcCos:allow ?thedirectory


If you have autofs involved you may want to fix the top level of an 
autofs directory to allow root to still access it (require for mounting)

     chmod A+user:nobody:aRc:allow  thedirectory



ZFS is really great BUT Samba played nicer with UFS.    Somewhat 
ironically, I believe Samba with ZFS tries to more precisely map unix to 
windows permissions than it did with UFS to Samba.  With UFS, some of 
problem permissions were just ignored in samba.

On 07/11/2011 12:15 PM, Daulton_Theodore wrote:
> Hi all,
>
> Running samba 3.5.5 in a Solaris non-global zone. I have created a folder
(StudentJobApplications) on a share  which I want to make accessible only to
members of a Unix group (studempl). I have added myself to the group but when I
or other group members try to access the folder via Windows Explorer I get the
following:
>
> I:\StudentJobApplications is not accessible
> Access is denied
>
> Here are some of the particulars:
>
> The folder:
> # ls -ld /departments/common/StudentJobApplications
> drwxrwx---   2 root     studemp        2 Jul 11 08:34
/departments/common/StudentJobApplications
>
> The group (etc/group):
> studempl::2018:mylogin,otheruserlogin.....
>
> The share definition in smb.conf:
>
> # --------------------------------------
> # shared directory for ALL staff
> # --------------------------------------
> [libshare]
>     comment     = Library staff shared directory
>     path        = /<path>
>     browseable  = yes
>     writeable   = yes
>     create mask = 0777
>     force create mode = 0777
>     directory mask = 0777
>     valid users = +group1 +group2 +group3 +group4 +group 5 +group6 +group7
+group8............+group17 +studempl
>     invalid users = +circdesk
>
> Note: I am a member of one of the groups defined in valid users above.
>
> I have not restarted the samba server but I don't think that would be
necessary.
>
> Actually I would like to set the permissions on the folder to be -rwxrws---
but just being able to access it would be a start. I would appreciate ang
comments or suggestions.
>
> Thank you.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
> Daulton Theodore
> Carleton University
> Library, Systems Department
> Vmail: (613) 520-2600, ext. 8352
>