-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I cannot find anything in the documentation or mailing list that
addresses this oddity.
I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm
utterly confused by samba's behavior regarding permissions.
Users on the server have home directories in /home/chemgroup/username.
(chemgroup is actually a symlink to another volume mounted at
/labs/chemgroup.) Permissions on /lab/chemgroup are:
drwxrwx--- username chemgroup /labs/chemgroup
Permissions on /lab/group/username are:
drwxr-x--- username chemgroup /labs/chemgroup/username
Clearly, username has rights to write to /home/chemgroup/username, and
can do so just fine via ssh.
The Samba share is configured as follows:
[chemgroup]
comment = Chemistry Group Share
path = /home/chemgroup
valid users = @chemgroup
public = no
browseable = no
writeable = yes
printable = no
force group = chemgroup
create mask = 0660
directory mask = 0770
Note, username is a member of chemgroup.
username can connect to \\server\chemgroup and can create new files and
directories there. And username can navigate to the username folder
within chemgroup. BUT, here's where it gets weird . . . username can
create a new file within the chemgroup\username folder, but they cannot
even change the name of the file they just created. And they can't
delete the file they just created (and couldn't rename).
This same behavior is even presented with Home directories, with the
homes section looking like this:
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0640
directory mask = 0750
valid users = %S
Thank you for any help or guidance.
John
- --
* - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
John Maher
Senior Systems and Network Administrator
Department of Biochemistry & Molecular Biology and
Department of Chemistry
University of Massachusetts - Amherst
voice: 413-577-3120 fax: 413-545-4490
OpenPGP Key ID: 0x2970A144
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3nn9kACgkQG+X1pClwoUQ4MwCaA0LA6XGt9mkOtkHwUfOrkrud
184AoKf+YL0oNNB3caqtEyvbLFe07i/H
=Q2wx
-----END PGP SIGNATURE-----
Quoting John Maher (john at chem.umass.edu):> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I cannot find anything in the documentation or mailing list that > addresses this oddity. > > I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm > utterly confused by samba's behavior regarding permissions. > > Users on the server have home directories in /home/chemgroup/username. > (chemgroup is actually a symlink to another volume mounted at > /labs/chemgroup.) Permissions on /lab/chemgroup are:How about looking in logfiles (first with log level to 3)?
John,
For the [chemgroup] share try
[chemgroup]
comment = Chemistry Group Share
path = /home/chemgroup
valid users = @chemgroup
write list = @chemgroup
browseable = no
;; writeable = yes
;; printable = no
force group = @chemgroup ;; note your post left out the '@'-sign
create mask = 0660
directory mask = 0770
and for the [homes] share try
[homes]
comment = Home Directories
browseable = no
;; read only = no
create mask = 0640
directory mask = 0750
;; valid users = %S
valid users = %U
write list = %U
I found that using %U works best so long as you don't have older Windows
(e.g. Wfwg). Also specifying write list specifically gives 'username'
write capabilities consistent with your security policy on the
underlying volume.
And, is /lab/chemgroup a local disk volume or a remote NSF volume? Doing
a double mount SMB --> NFS --> Local Vol is not recommended owing to the
way NFS itself handles permissions.
Also I would recommend that you consider upgrading to the latest 3.5.X
branch of Samba and consider enabling ACLs and extended User Attributes
on the underlying volumes. Although adding Posix ACls does add
complexity to the mix in the end you get a more secure environment and
less Windows-to-Linux permission problems and confusion.
Bob
--bs
On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I cannot find anything in the documentation or mailing list that
> addresses this oddity.
>
> I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm
> utterly confused by samba's behavior regarding permissions.
>
> Users on the server have home directories in /home/chemgroup/username.
> (chemgroup is actually a symlink to another volume mounted at
> /labs/chemgroup.) Permissions on /lab/chemgroup are:
>
> drwxrwx--- username chemgroup /labs/chemgroup
>
> Permissions on /lab/group/username are:
>
> drwxr-x--- username chemgroup /labs/chemgroup/username
>
> Clearly, username has rights to write to /home/chemgroup/username, and
> can do so just fine via ssh.
>
> The Samba share is configured as follows:
>
> [chemgroup]
> comment = Chemistry Group Share
> path = /home/chemgroup
> valid users = @chemgroup
> public = no
> browseable = no
> writeable = yes
> printable = no
> force group = chemgroup
> create mask = 0660
> directory mask = 0770
>
> Note, username is a member of chemgroup.
>
> username can connect to \\server\chemgroup and can create new files and
> directories there. And username can navigate to the username folder
> within chemgroup. BUT, here's where it gets weird . . . username can
> create a new file within the chemgroup\username folder, but they cannot
> even change the name of the file they just created. And they can't
> delete the file they just created (and couldn't rename).
>
> This same behavior is even presented with Home directories, with the
> homes section looking like this:
>
> [homes]
> comment = Home Directories
> browseable = no
> read only = no
> create mask = 0640
> directory mask = 0750
> valid users = %S
>
> Thank you for any help or guidance.
>
> John
>
> - --
> * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
> John Maher
> Senior Systems and Network Administrator
> Department of Biochemistry & Molecular Biology and
> Department of Chemistry
> University of Massachusetts - Amherst
> voice: 413-577-3120 fax: 413-545-4490
> OpenPGP Key ID: 0x2970A144
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk3nn9kACgkQG+X1pClwoUQ4MwCaA0LA6XGt9mkOtkHwUfOrkrud
> 184AoKf+YL0oNNB3caqtEyvbLFe07i/H
> =Q2wx
> -----END PGP SIGNATURE-----
>
John,
Yes, I agree that you should not install from source--I meant to imply
if you could get a deb package for your Ubuntu Server 10.10.
I did not enable ACLs and User Extended Attributes until I installed the
first iteration of the Samba 3.5 branch on my Fedora 13 server (I'm
about to upgrade to Fedora 15) so I am not sure what issues you might
have using Samba 3.4.7.
Using the User Extended Attributes are convenient for two purposes:
1) it allows Samba to store the DOS Attributes (ReadOnly, Archive,
Hidden, and I think a few others) in a separate xattr. This frees you
from having to manage these attributes using the Linux permission bits.
2) It allows Samba to store the full NT ACLs as an xattr. The initial NT
ACLs will be based on the POSIX ACLs which should also be enabled.
You can enable ACLs and User Extended Attributes on a share-by-share
basis. I would start off by creating a test volume (if you can carve one
out of your LVM) and creating a test share with it in Samba. For
example, here my my configuration for a group share:
[Shared]
comment = Public Share on %h
path = /home/shared
valid users = +domadmins, +domusers, +domguests
write list = +domadmins, +domusers
force group = domusers
; create mask = 0664
; force create mode = 0660
; directory mask = 0002
; force directory mode = 0770
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
acl group control = yes
ea support = yes
vfs object = acl_xattr recycle
store dos attributes = yes
map archive = no
map hidden = no
map system = no
map readonly = no
The mount configuration in /etc/fstabs is:
/dev/mapper/vg1-home /home ext3 defaults,acl,user_xattr 1 2
And the POSIX ACls on /home/shared:
# getfacl shared
# file: shared
# owner: root
# group: users
# flags: -s-
user::rwx
group::rwx
group:users:rwx
group:domadmins:rwx
group:domusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:users:rwx
default:group:domadmins:rwx
default:group:domusers:rwx
default:mask::rwx
default:other::---
I like the fact that I no longer have to give the Linux Other group any
permission whatsoever even for my public shared group.
There is alot here that you will need to bone-up on but give it a try
and let us know if you run into any problems.
Good luck,
Bob
--bs
On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote:
John Maher john at chem.umass.edu
Fri Jun 3 09:37:14 MDT 2011
>> And, is /lab/chemgroup a local disk volume or a remote NSF volume?
Doing>> a double mount SMB --> NFS --> Local Vol is not recommended owing
to
the>> way NFS itself handles permissions.
>Bob, I forgot to respond to this part. No, I'm not using NSF. That
mount>point is an LVM logical volume on a single RAID5 array.
>>
>> Also I would recommend that you consider upgrading to the latest
3.5.X>> branch of Samba and consider enabling ACLs and extended User
Attributes>> on the underlying volumes. Although adding Posix ACls does add
>> complexity to the mix in the end you get a more secure environment
and>> less Windows-to-Linux permission problems and confusion.
>
>There's resistance in my department to install applications using
source>rather than Ubuntu packages. For now, I need to stick with the version
>we have unless it becomes clear that the version change would make the
difference.>
>I've been wondering about extended User Attributes and whether or not
>they are worth the effort. It sounds like you believe they are worth
>it. I'll look into it. Thanks.
>
>John
>> Quoting John Maher (john at chem.umass.edu): >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hello, >>> >>> I cannot find anything in the documentation or mailing list that >>> addresses this oddity. >>> >>> I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm >>> utterly confused by samba's behavior regarding permissions. >>> >>> Users on the server have home directoriesin /home/chemgroup/username.>>> (chemgroup is actually a symlink to another volume mounted at >>> /labs/chemgroup.) Permissions on /lab/chemgroup are: >> >> >> How about looking in logfiles (first with log level to 3)? > >Thanks for responding. > >I changed log level to 3 and was able to see an NT_STATUS_ACCESS_DENIED >error when trying to change the name of a file I just created.John, To get back to your issue at hand...Can we see the output of your logs--the entire delete/rename transactions? Is this server a PDC, BDC or other? Are there any Windows server part of this domain? Are you using winbind? What is the output of wbinfo -i username? Bob --bs
John,
Were you using Samba 3.4.6 prior to this? If so, here is the release
note for 3.4.7:
============================ Release Notes for Samba 3.4.7
March 8, 2010
============================
This is a security release in order to address CVE-2010-0728.
o CVE-2010-0728:
In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code
was added to fix a problem with Linux asynchronous IO handling.
This code introduced a bad security flaw on Linux platforms if the
binaries were built on Linux platforms with libcap support.
The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
capabilities, allowing all file system access to be allowed
even when permissions should have denied access.
Regardless if it was working under 3.4.6 you may have had a different
and more serious kind of security problem >:-0
Unfortunately I do not see this as a simple mis-configuration of your
server at this point. The error is being emitted after the smbd/open.c
call to try and open the file. It errors out on trying to open the file
for renaming.
> [2011/06/03 13:29:55, 3] smbd/vfs.c:974(check_reduced_name)
> reduce_name: jmaher/orig_name reduced to /labs/chemgroup/jmaher/orig_name
> [2011/06/03 13:29:55, 3] smbd/reply.c:6030(rename_internals)
> Could not open rename source jmaher/orig_name: NT_STATUS_ACCESS_DENIED
Unfortunately as I do not have an Ubuntu Server 10.04 I can not
experiment with this to help pinpoint an answer for you. Sorry.
BTW, what is shown under the workstations Properties-->Security tab for
the file in question (and when the directory perms are drwxr-x---)? Do
all of the SIDs resolve properly? You may also try posting the error log
using log level = 9 for even more detail--this might also show the SID
to UID/GID mappings.
Bob
--bs
>On 06/03/2011 01:18 PM, Robert W. Smith wrote:
>
>...
>
>> John,
>>
>> To get back to your issue at hand...Can we see the output of your
>> logs--the entire delete/rename transactions?
>
>Bob, thanks for your continued interest and help.
>
>Here is log level = 3 output when trying to change a file within the
>/labs/chemgroup/jmaher directory from the name "orig_name" to
"new_name":