Colin Fowler
2012-Jun-15 10:02 UTC
[Samba] User cannot get into own directory with 700 permissions
If I create a directory with 700 permissions owned by me with the group
set to my primary group I *cannot* get into the directory from my
windows machine. I can of course get into it from unix
If however I set the mode to 740, I can get into it from windows
Samba version is 3.6.5 running on Debian squeeze and is installed from
the backports repository. Below is a snippet of the log file at log
level 5 from when I try to access the directory
"700_dir_cfowler_staff"
any help much appreciated!
[2012/06/15 10:24:25.700630, 3] smbd/process.c:1467(switch_message)
switch message SMBntcreateX (pid 5978) conn 0x7fab011282a0
[2012/06/15 10:24:25.700932, 4] smbd/uid.c:351(change_to_user)
Skipping user change - already user
[2012/06/15 10:24:25.701045, 5] smbd/filename.c:257(unix_convert)
unix_convert called on file "test2/700_dir_cfowler_staff"
[2012/06/15 10:24:25.701178, 5] smbd/files.c:126(file_new)
allocated file structure 10381, fnum = 14477 (3 used)
[2012/06/15 10:24:25.701296, 3] smbd/dosmode.c:159(unix_mode)
unix_mode(test2/700_dir_cfowler_staff) returning 0740
[2012/06/15 10:24:25.701445, 4] smbd/open.c:2069(open_file_ntcreate)
calling open_file with flags=0x0 flags2=0x0 mode=0740, access_mask =
0x81, open_access_mask = 0x81
[2012/06/15 10:24:25.701655, 5] smbd/files.c:464(file_free)
freed files structure 14477 (2 used)
[2012/06/15 10:24:25.701770, 5] smbd/open.c:2597(open_directory)
open_directory: opening directory test2/700_dir_cfowler_staff,
access_mask = 0x81, share_access = 0x7 create_options = 0x0,
create_disposition = 0x1, file_attributes = 0x10
[2012/06/15 10:24:25.701960, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/error.c(161) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
[global]
workgroup = FOO
realm = FOO.BAR.COM
interfaces = eth0, lo
bind interfaces only = Yes
security = DOMAIN
log file = /var/log/samba/samba.log.%m
unix extensions = No
idmap config * : backend = tdb
wide links = Yes
log level = 5
[homes]
comment = Home directories (%h)
read only = No
create mask = 0750
browseable = No
Linda W
2012-Jun-16 05:39 UTC
[Samba] User cannot get into own directory with 700 permissions
Colin Fowler wrote:> If I create a directory with 700 permissions owned by me with the > group set to my primary group I *cannot* get into the directory from > my windows machine. I can of course get into it from unix > > If however I set the mode to 740, I can get into it from windows > > Samba version is 3.6.5 running on Debian squeeze and is installed from > the backports repository. Below is a snippet of the log file at log > level 5 from when I try to access the directory "700_dir_cfowler_staff" > > any help much appreciated!You create the directory on your unix box with 700 permissions. How did you mount the partition?? I.e. How does it know that the 'you' on your win-sys is the same 'you' as the you on your linux box? Case in point -- I have at least 2 'you's, that I am... one is in my domain, the other is on the workstation. The one in the domain is the same one as on the linux server, but the login with the same name on my workstation is NOT the same user -- one is linda at workstation, while the other is linda at domain. Now you can put both of those users in the same group...and have files delegated by group (which is how I try to manage sharing -- but it doesn't always work because windows progs don't know to give access by group --- I mean giving access to a group -- to say some software -- that would be "like" piracy --- (*cough*), -- windows has always wanted to charge by the user AND by the machine -- so the windows you install on 1 machine isn't really yours to use on another. So it was in their interest to allow as little universal ID's as possible unless you paid extra, for "per-person" licensing that was sold to businesses at a premium price... maybe you get the picture??... You can either try to make do with groups -- or try to bring up your linux box as a domain server -- if you already have it set as a domain server, um...I think 'deny-access' entries get ordered before permission entries, so if it took out your group access with a deny, that's another possibility. Hopefully this gives you a few places to look...(can't say alot, as my own setup is held together with duck-tape and paper clips... and isn't always the most stable (understatement)...