On 11/19/21 5:18 PM, Rowland Penny via samba wrote:> On Fri, 2021-11-19 at 16:44 -0500, Ken Bass via samba wrote:
>> I am in some unfamiliar territory here and trying to troubleshoot why
>> I
>> am getting access denied. Maybe someone can provide some pointers or
>> suggestions.
>>
>> I am sharing via a samba share.
>>
>> If the file is created on Windows, I see the following:
>>
>> icacls test.txt
>>
>> test.txt Everyone:
>> MYDOM\user:(I)(F)
>> MYDOM\Group:(I)(F)
>>
>> Under Linux the file permissions show as:
>> '-rwxrw----'
> Is that exactly what 'ls 'la' produces ? Could there be a
'+' on the
> end ?
> As show, the user would have full permissions and the group would have
> read and write permissions, all others would have no permissions.
>
> Depending on how you have set up Samba, you may be using extended ACL's
> and attrs, but without further info, this is hard to say.
>
> Could you post the output from 'testparm -s' from the Samba server
and
> the full output of 'ls -la test.txt'
>
> Rowland
>
>
>
Hi Rowland,
On the SERVER side:
-rwxrwx---+ 1 user testshare users 16 Nov 19 16:11 test.txt
On the CLIENT side, where this share is mounted via cifs in /etc/fstab
-rwxrw---- 1 user testshare users 16 Nov 19 16:11 test.txt
And reproducing the issue - on the CLIENT side
/usr/bin/getcifsacl test.txt
REVISION:0x1
CONTROL:0x8004
OWNER:MYDOM\user
GROUP:MYDOM\Testshare Users
ACL:MYDOM\user:ALLOWED/0x0/FULL
ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL
ACL:\Everyone:ALLOWED/0x0/
And after running
chmod u-x test.txt
-rw-rw---- 1 user testshare users 16 Nov 19 16:12 test.txt
/usr/bin/getcifsacl test.txt
REVISION:0x1
CONTROL:0x8004
OWNER:MYDOM\user
GROUP:MYDOM\Testshare Users
ACL:MYDOM\user:DENIED/0x0/0xd0130
ACL:MYDOM\user:ALLOWED/0x0/0x1f01df
ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL
ACL:\Everyone:ALLOWED/0x0/0x40
Notice after running the chmod to remove the user exec permission, the
DENIED ACL is added.
That DENIED ACL does not just remove 'execution', but as I originally
posted:
test.txt MYDOM\user:(DENY)(D,WDAC,WO,WEA,X,WA)
???????? MYDOM\user:(R,W,D,WDAC,WO,DC)
???????? MYDOM\Testshare Users:(F)
???????? Everyone:(DC)
it appears to also remove WEA - Write extended attributes, WA - Write
attributes, WO - Write owner.
My guess is that is why trying to write to test.txt from Windows after
the chmod results in Access Denied. That DENY clause prevents Windows
from doing that.
# Global parameters
[global]
??? disable spoolss = Yes
??? guest account = guestuser
??? interfaces = lo 192.168.2.0/24
??? kerberos method = secrets and keytab
??? load printers = No
??? log file = /var/log/samba/%m.log
??? map to guest = Bad User
??? printcap name = /dev/null
??? realm = MYDOM.LOCAL.NET
??? security = ADS
??? server string = myserver
??? template homedir = /home/%U
??? template shell = /bin/bash
??? username map = /etc/samba/user.map
??? winbind enum groups = Yes
??? winbind enum users = Yes
??? winbind refresh tickets = Yes
??? winbind use default domain = Yes
??? workgroup = MYDOM
??? idmap config mydom : unix_primary_group = yes
??? idmap config mydom : range = 1000-29999
??? idmap config mydom : schema_mode = rfc2307
??? idmap config mydom : backend = ad
??? idmap config * : range = 30000-39999
??? idmap config * : backend = tdb
??? cups options = raw
??? hosts allow = 127. 192.168.2.
??? map acl inherit = Yes
??? printing = bsd
??? strict allocate = Yes
??? vfs objects = acl_xattr
[TestShare]
??? comment = TestShare
??? create mask = 0770
??? directory mask = 0770
??? force create mode = 0770
??? force directory mode = 0770
??? force group = "TestShare Users"
??? path = /mnt/store/TestShare
??? read only = No