Hello Jeremy, Friday, December 19, 2014, 3:48:51 PM, you wrote:> On Fri, Dec 19, 2014 at 12:47:51PM -0500, Rufe Glick wrote: >> Hello,>> After researching the subject on the internet I concluded that Samba should take into account Unix file acls. During my tests I found the opposite. Only Unix file mode bits are respected, and file acls are ignored. If my initial assumption is correct and Samba do respect Unix file acls, then I am doing something wrong. Please see the setup below and point to what I am doing wrong.>> Distribution and Samba version in use: Centos Linux 7; Samba 4.1.1>> ##### Server>> # Create Linux users >> useradd alice >> useradd bob>> # Create a directory to be shared; set ro permissions for alice using \ >> # file mode bits and rw permissions for bob using file acls >> mkdir /home/smbshare >> chown alice:alice /home/smbshare >> chmod 0500 /home/smbshare >> setfacl -m u:bob:rwx /home/smbshare >> setfacl -m m:rwx /home/smbshare>> # Create a file for testing purposes >> echo 'Hello world!' > /home/smbshare/test.txt>> # Add users to Samba database >> pdbedit -a -u alice >> pdbedit -a -u bob>> # Define share in smb.conf and restart the smb daemon >> vim /etc/samba/smb.conf >> comment = smbshare for alice(ro) and bob(rw) >> path = /home/smbshare >> browseable = yes >> writeable = yes >> valid users = alice bob>> systemctl reload smb>> # Set the SELinux permissions and open samba on firewall >> chcon -R -t samba_share_t /home/smbshare>> firewall-cmd --add-service=samba --permanent >> firewall-cmd --reload>> ##### Client>> # Create Linux users >> useradd alice >> useradd bob> Do alice and bob have the same user ids on client > and server ?Yes, the uids and gids are identical on both server and client machines.
Jeremy Allison
2014-Dec-19 21:55 UTC
[Samba] Does Samba 4 actually respect Unix file acls?
On Fri, Dec 19, 2014 at 03:58:58PM -0500, Rufe Glick wrote:> Hello Jeremy, > > > Do alice and bob have the same user ids on client > > and server ? > > Yes, the uids and gids are identical on both server and client machines.Then it should work. Set debug level 10 on the smbd and look for ACCESS_DENIED messages in the logs.
Hello Jeremy, Friday, December 19, 2014, 4:55:21 PM, you wrote:> On Fri, Dec 19, 2014 at 03:58:58PM -0500, Rufe Glick wrote: >> Hello Jeremy,>> > Do alice and bob have the same user ids on client >> > and server ?>> Yes, the uids and gids are identical on both server and client machines.> Then it should work. Set debug level 10 on the smbd > and look for ACCESS_DENIED messages in the logs.I set debug level to 10. This is the output -- http://pastebin.com/dfmHqYA7 -- I get in '/var/log/samba/log.' file on the server side when I try to access share as bob on the client machine (and get Permission denied error). There are no ACCESS_DENIED messages in the logs. For the reference - bob's uid/gid are 1002, alice's uid/gid are 1001.