Hello,
After an upgrade to samba 3.5.8 (from 3.2.5) the option 'dos filemode'
does not seem to work anymore. If I (as a user) do not own the file I
can't change permissions.
I am user 'felix' and member of supplementary group
'Development'. To
test things I use the following share definition:
[Temp]
path = /srv/samba/file-shares/tmp
browseable = yes
read only = no
invalid users = root administrator
delete readonly = yes
inherit owner = yes
force group = Development
dos filemode = yes
A 'getfacl' on /srv/samba/file-shares/tmp returns:
# file: srv/samba/file-shares/tmp
# owner: root
# group: root
# flags: -s-
user::rwx
group::r-x
group:Development:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Development:rwx
default:mask::rwx
default:other::---
From the 'smb.conf' man page concerning option 'dos filemode':
...
Enabling this parameter allows a user who has write access to the file
(by whatever means, including an ACL permission) to modify the
permissions (including ACL) on it.
...
My understanding: as a member of group 'Development' I do have write
access to '/srv/samba/file-shares/tmp' by means of the ACL.
Trying to modify permissions on a directory or file I create in that
share does not work and reports access denied, no matter if I use
Windows Explorer or smbclient from an other linux box.
What am I misunderstanding here?
Many thanks, Felix
TAKAHASHI Motonobu
2011-Mar-25 13:43 UTC
[Samba] Can't get 'dos filemode' to work as expected
From: Felix Brack <fb at ltec.ch> Date: Thu, 24 Mar 2011 10:09:53 +0100> After an upgrade to samba 3.5.8 (from 3.2.5) the option 'dos filemode' > does not seem to work anymore. If I (as a user) do not own the file I > can't change permissions. > > I am user 'felix' and member of supplementary group 'Development'. To > test things I use the following share definition: > > [Temp] > path = /srv/samba/file-shares/tmp > browseable = yes > read only = no > invalid users = root administrator > delete readonly = yes > inherit owner = yes > force group = Development > dos filemode = yes > > A 'getfacl' on /srv/samba/file-shares/tmp returns: > > # file: srv/samba/file-shares/tmp > # owner: root > # group: root > # flags: -s- > user::rwx > group::r-x > group:Development:rwx > mask::rwx > other::--- > default:user::rwx > default:group::r-x > default:group:Development:rwx > default:mask::rwx > default:other::---As far as I examined, "dos filemode" works file at Samba 3.5.8. I connect to \\lenny5\aclshare2a and can change the other's permission (same as running "chmod o+r test2.txt"). Here is my settings: ----- lenny5:/var/lib/samba/shares# cat /usr/local/samba/lib/smb.conf [global] [aclshare2] path = /var/lib/samba/shares/aclshare2 writeable = yes force group = root inherit permissions = yes dos filemode = yes store dos attributes = yes map archive = no map read only = no [aclshare2a] path = /var/lib/samba/shares/aclshare2 browseable = yes read only = no invalid users = root administrator delete readonly = yes inherit owner = yes force group = Development dos filemode = yes ----- Both for aclshare2 and aclshare2a Samba works fine. lenny5:/var/lib/samba/shares# /usr/local/samba/sbin/smbd -V Version 3.5.8 lenny5:/var/lib/samba/shares# getfacl aclshare2/ # file: aclshare2/ # owner: root # group: root user::rwx group::r-x group:Development:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:Development:rwx default:mask::rwx default:other::--- lenny5:/var/lib/samba/shares# getfacl aclshare2/test2.txt # file: aclshare2/test2.txt # owner: root # group: root user::rw- group::rw- group:Development:rwx mask::rwx other::r-- lenny5:/var/lib/samba/shares# id monyo uid=1000(monyo) gid=100(users) groups=100(users),1016(Development) --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
On Thu, Mar 24, 2011 at 5:09 AM, Felix Brack <fb at ltec.ch> wrote:> A 'getfacl' on /srv/samba/file-shares/tmp returns: > > # file: srv/samba/file-shares/tmp > # owner: root > # group: root > # flags: -s- > user::rwx > group::r-x > group:Development:rwx > mask::rwx > other::--- > default:user::rwx > default:group::r-x > default:group:Development:rwx > default:mask::rwx > default:other::---Are you sure this is a Samba issue? What does a 'getfacl' on the files you create in the share look like? Chris
On 24.03.2011 10:09, Felix Brack wrote:> Hello, > > After an upgrade to samba 3.5.8 (from 3.2.5) the option 'dos filemode' > does not seem to work anymore. If I (as a user) do not own the file I > can't change permissions. > > I am user 'felix' and member of supplementary group 'Development'. To > test things I use the following share definition: > > [Temp] > path = /srv/samba/file-shares/tmp > browseable = yes > read only = no > invalid users = root administrator > delete readonly = yes > inherit owner = yes > force group = Development > dos filemode = yes > > A 'getfacl' on /srv/samba/file-shares/tmp returns: > > # file: srv/samba/file-shares/tmp > # owner: root > # group: root > # flags: -s- > user::rwx > group::r-x > group:Development:rwx > mask::rwx > other::--- > default:user::rwx > default:group::r-x > default:group:Development:rwx > default:mask::rwx > default:other::--- > > From the 'smb.conf' man page concerning option 'dos filemode': > > ... > Enabling this parameter allows a user who has write access to the file > (by whatever means, including an ACL permission) to modify the > permissions (including ACL) on it. > ... > > My understanding: as a member of group 'Development' I do have write > access to '/srv/samba/file-shares/tmp' by means of the ACL. > > Trying to modify permissions on a directory or file I create in that > share does not work and reports access denied, no matter if I use > Windows Explorer or smbclient from an other linux box. > > What am I misunderstanding here? > > Many thanks, Felix >I finally manged to write some code for my Windows box that shows the error: #include <stdio.h> #include <tchar.h> #include <windows.h> // directory name -------------------------------------- // share name -------------------------------- | // server name -------------------- | | // | | | // v v v const wchar_t strFirName[]= L"\\\\JUPITER\\testshare\\test-dir"; int main(void) { BOOL bRet; DWORD dwError; // create the directory bRet= CreateDirectory(strFirName, NULL); if (bRet != TRUE) { dwError= GetLastError(); return -1; } // now set the file attribute of the newly created directory bRet= SetFileAttributes(strFirName, FILE_ATTRIBUTE_NORMAL); if (bRet != TRUE) { // dwError will be 6 (ERROR_INVALID_HANDLE) in case of failure dwError= GetLastError(); return -1; } return 0; } That's it! Creating a directory and then manipulating the attributes. The server path to the share is /srv/samba/file-shares/testshare. The code above fails while setting the attribute if the user (felix) connecting to the samba share is _not_ the owner (root) of /srv/samba/file-shares/testshare. 'getfacl /srv/samba/file-shares/testshare' returns: # file: srv/samba/file-shares/testshare # owner: root # group: root # flags: -s- user::rwx group::rwx group:Development:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:Development:rwx default:mask::rwx default:other::--- If I type 'chown felix:root /srv/samba/file-shares/testshare' on the samba server and then execute the code above, everything is fine. 'getfacl /srv/samba/file-shares/testshare' returns: # file: srv/samba/file-shares/testshare # owner: felix # group: root # flags: -s- user::rwx group::rwx group:Development:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:Development:rwx default:mask::rwx default:other::--- As already stated 'felix' is member of group 'Development'. Can somebody confirm that the code above works in case the user connecting to the share is _not_ owning the share? Felix