Kees van Vloten
2024-Mar-28 18:04 UTC
[Samba] Linux Mint 21.3 client AD joined OK but no usb working
On 28-03-2024 18:53, Rowland Penny via samba wrote:> On Thu, 28 Mar 2024 11:33:16 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > >> On Wed, 27 Mar 2024 18:13:16 +0000 >> Rowland Penny via samba <samba at lists.samba.org> wrote: >>> Now thinking about apparmor, could this be stopping writing to the >>> drive ? >>> >> No, I removed apparmor and rebooted, no different. >> >> Tried to format the drive, but it seems to have gone read only, so >> used another drive and formatted that. >> >> When I insert the USB drive, it gets mounted on >> /media/rowland/usbdrive1 >> >> Checking the permissions on the path, shows this: >> >> rowland at devstation:~$ ls -ld /media/ >> drwxr-xr-x 4 root root 4096 Mar 27 17:15 /media/ >> >> Anyone can traverse /media >> >> rowland at devstation:~$ ls -ld /media/rowland/ >> drwxr-x---+ 3 root root 4096 Mar 28 09:36 /media/rowland/ >> >> There is an EA, so check that: >> >> rowland at devstation:~$ getfacl /media/rowland/ >> getfacl: Removing leading '/' from absolute path names >> # file: media/rowland/ >> # owner: root >> # group: root >> user::rwx >> user:rowland:r-x >> group::--- >> mask::r-x >> other::--- >> >> Only 'root', members of the 'root' group and 'rowland' can traverse >> /media/rowland >> >> rowland at devstation:~$ ls -ld /media/rowland/usbdrive1/ >> drwxr-xr-x 3 root root 4096 Mar 28 09:32 /media/rowland/usbdrive1/ >> >> So 'rowland' can traverse to the 'usbdrive1' directory, but only >> 'root' can write to it. >> >> WHY ?????????? >> >> It mounts the drive in a directory named after the user, it allows the >> user to get to the drive, but then denies the user the ability to >> write to the drive. >> >> Off to find out just what 'mounts' the drive and how. >> >> Rowland >> > It seems that it is udev and udisks2 that automatically mount the USB > drive after it is plugged into a USB port. > The problem is I stated earlier, whilst it is mounted under a directory > with the users name, it is mounted rwx for root and r-x for the user > (others), which, if you think about it, is probably correct for a > removable drive. Whilst the user may have one ID on a computer, they > may have another ID on a different computer. > The only cure I can find is to change the owner of the USB drives > directory, e.g. chown rowland /media/rowland/usbdrive1 > > RowlandI did not read the whole thread back, so perhaps this is long obvious... If the user is a domain-user and the same id-mapping is used everywhere, it should get the same UID/GID everywhere...>
Rowland Penny
2024-Mar-28 18:53 UTC
[Samba] Linux Mint 21.3 client AD joined OK but no usb working
On Thu, 28 Mar 2024 19:04:44 +0100 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > On 28-03-2024 18:53, Rowland Penny via samba wrote: > > On Thu, 28 Mar 2024 11:33:16 +0000 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > >> On Wed, 27 Mar 2024 18:13:16 +0000 > >> Rowland Penny via samba <samba at lists.samba.org> wrote: > >>> Now thinking about apparmor, could this be stopping writing to the > >>> drive ? > >>> > >> No, I removed apparmor and rebooted, no different. > >> > >> Tried to format the drive, but it seems to have gone read only, so > >> used another drive and formatted that. > >> > >> When I insert the USB drive, it gets mounted on > >> /media/rowland/usbdrive1 > >> > >> Checking the permissions on the path, shows this: > >> > >> rowland at devstation:~$ ls -ld /media/ > >> drwxr-xr-x 4 root root 4096 Mar 27 17:15 /media/ > >> > >> Anyone can traverse /media > >> > >> rowland at devstation:~$ ls -ld /media/rowland/ > >> drwxr-x---+ 3 root root 4096 Mar 28 09:36 /media/rowland/ > >> > >> There is an EA, so check that: > >> > >> rowland at devstation:~$ getfacl /media/rowland/ > >> getfacl: Removing leading '/' from absolute path names > >> # file: media/rowland/ > >> # owner: root > >> # group: root > >> user::rwx > >> user:rowland:r-x > >> group::--- > >> mask::r-x > >> other::--- > >> > >> Only 'root', members of the 'root' group and 'rowland' can traverse > >> /media/rowland > >> > >> rowland at devstation:~$ ls -ld /media/rowland/usbdrive1/ > >> drwxr-xr-x 3 root root 4096 Mar 28 09:32 /media/rowland/usbdrive1/ > >> > >> So 'rowland' can traverse to the 'usbdrive1' directory, but only > >> 'root' can write to it. > >> > >> WHY ?????????? > >> > >> It mounts the drive in a directory named after the user, it allows > >> the user to get to the drive, but then denies the user the ability > >> to write to the drive. > >> > >> Off to find out just what 'mounts' the drive and how. > >> > >> Rowland > >> > > It seems that it is udev and udisks2 that automatically mount the > > USB drive after it is plugged into a USB port. > > The problem is I stated earlier, whilst it is mounted under a > > directory with the users name, it is mounted rwx for root and r-x > > for the user (others), which, if you think about it, is probably > > correct for a removable drive. Whilst the user may have one ID on a > > computer, they may have another ID on a different computer. > > The only cure I can find is to change the owner of the USB drives > > directory, e.g. chown rowland /media/rowland/usbdrive1 > > > > Rowland > > I did not read the whole thread back, so perhaps this is long > obvious... > > If the user is a domain-user and the same id-mapping is used > everywhere, it should get the same UID/GID everywhere...Well yes, but udev & udisks2 are written from the point of view of a Linux computer where a user or group may not get the same IDs on different computers. I found this: https://wiki.archlinux.org/title/Udev#Allowing_regular_users_to_use_devices Which seems say that you can make it work for user writing, but it sounds like it works on a device by device basis. I haven't given up on this yet, there must be a way for domain users to write to a USB drive without manual intervention. Rowland