thr3ads.net - samba - [Samba] Modify permission not available unless group permissions are set to write. [Oct 2010]

If this information is useful, please help other people find it:
Share via:
Andrew Masterton
2010-Oct-29 15:57 UTC
[Samba] Modify permission not available unless group permissions are set to write.

I've been wrestling with a problem on newer versions of samba with a
configuration that "used" to work in samba 3.0.33 (RedHat Enterpise 5
packages) This maybe due to changes in the may samba maps NT permissions,
but i'm not sure so I thought I would ask.

I have a samba 3.3.8 (RedHat Enterprise 5.5 Samba3x packages) and samba
3.4.4 (Redhat Enterprise 6 beta packages) installation both connected to
active directory with samba/windbind set-up as below (slightly adjusted from
the true workgroup/server names):

workgroup = WORK-GROUP
password server = server.ac.uk
realm = TEST.AC.UK
security = ads
idmap backend = tdb
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind separator = +

And a share set-up as below:

[blah]
        path = /home/blah
        writeable = yes
        force user = %D+andy
        force group = apache
        valid users = %D+andy

I have the folder blah set with the following permissions:

drwxrwxr-x. 4 andy apache 4096 Oct 29 11:56 /home/blah

Inside the folder I have 2 additional folders one with group write bit set
and one without

drwxrwxr-x. 3 andy apache       4096 Oct 29 15:44 withgroupperm
drwxr-xr-x. 3 andy apache 4096 Oct 29 15:50 withoutgroupperm

With this configuration I can create files and folders no problem in either
of the subfolders by connecting as myself (andy), I can also modifiy the
contents of files, but I cannot change the name of files/folders in the
subdirectory that doesn't have the group write permission set. According to
Windows I don't have the "modify" permission.

In Samba 3.0.33 on RedHat Enterprise 5 this worked although it would appear
that even under 3.0.33 you do not have the "modify" permission set. I
don't
know if this was a bug that was fixed, but I would've thought as the owner
of the folder and the "rwx" permission bits set for myself and the
files
also having "rwx" permissions for myself I should be able to change
the
names of files/folders that I have created within that folder via samba?

Am I going mad?

Here is a samba log extract at loglevel 10 that shows the ACL check and the
eventual access denied (on 3.4.4)

[2010/10/29 16:51:22, 10] smbd/open.c:2896(create_file_unixpath)
  create_file_unixpath: access_mask = 0x110080 file_attributes = 0x0,
share_access = 0x7, create_disposition = 0x1 create_options = 0x200000
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname withoutgroupperm/New
Text Document.txt
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:3369(posix_get_nt_acl)
  posix_get_nt_acl: called for file withoutgroupperm
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2519(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
  canon_ace index 2. Type = allow SID
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:838(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:3369(posix_get_nt_acl)
  posix_get_nt_acl: called for file withoutgroupperm/New Text Document.txt
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2519(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r--
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r--
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
  canon_ace index 2. Type = allow SID
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:838(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r--
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r--
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
[2010/10/29 16:51:22, 10] smbd/open.c:2952(create_file_unixpath)
  create_file_unixpath: open file withoutgroupperm/New Text Document.txt for
delete ACCESS_DENIED
[2010/10/29 16:51:22, 10] smbd/open.c:3218(create_file_unixpath)
  create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2010/10/29 16:51:22, 10] smbd/open.c:3497(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED
[2010/10/29 16:51:22,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/nttrans.c(563) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED

Many thanks,

-Andrew
Reasonably Related Threads

Search for more apparently analagous threads
samba - Oct 2010 - Modify permission not available unless group permissions are set to write.

[Samba] Modify permission not available unless group permissions are set to write.

Reasonably Related Threads

Wisdom of the Ancients
