Hello Jeremy, Friday, December 19, 2014, 7:00:06 PM, you wrote:> On Fri, Dec 19, 2014 at 06:31:33PM -0500, Rufe Glick wrote: >> Hello Jeremy,>> Friday, December 19, 2014, 4:55:21 PM, you wrote:>> > On Fri, Dec 19, 2014 at 03:58:58PM -0500, Rufe Glick wrote: >> >> Hello Jeremy,>> >> > Do alice and bob have the same user ids on client >> >> > and server ?>> >> Yes, the uids and gids are identical on both server and client machines.>> > Then it should work. Set debug level 10 on the smbd >> > and look for ACCESS_DENIED messages in the logs.>> I set debug level to 10. This is the output -- http://pastebin.com/dfmHqYA7 -- I get in '/var/log/samba/log.' file on the server side when I try to access share as bob on the client machine (and get Permission denied error). There are no ACCESS_DENIED messages in the logs. For the reference - bob's uid/gid are 1002, alice's uid/gid are 1001.> Hmmm. Might be a client bug. It's only doing > a smbd_do_qfilepathinfo: SMB_QUERY_FILE_UNIX_BASIC > call to check if it can cd into the directory, > instead of a SMB_QUERY_POSIX_ACL: trans2 > request.> Pinging Steve French...By the way of trial and error I seem to find the setup that allows bob to have read-write access on the share, but in somewhat lame way. First bob's uid must be used with mount options: mount -t cifs -o username=bob,password=pass,uid=1002 //192.168.1.112/smbshare /mnt/smbshare Second - owner's file mode bits on directory must match or exceed those that set for other user using acls. That is if bob has full rwx permissions on directory (via acl), but owner's bits are r-x, than bob won't have rwx, but r-x permissions on the directory. As soon as I change shared directory's owner's (alice in this case) permissions to rwx, bob gets full permissions as well (I have to re-login). Also if I then try to access the share as alice I get read-only access for the share (though now alice has rwx perimssions as directory owner). Things like 'touch file.txt' or 'echo "I am alice" > file.txt' return Permission denied error and create an empty file. That is weird and illogical behavior. I would appreciate if someone can explain me why it works this way and if it should work this way. For the reference the version number as returned 'mount.cifs -V' is 6.2
On Dec 19, 2014 9:05 PM, "Rufe Glick" <rufe.glick at gmail.com> wrote:> > Hello Jeremy, > > Friday, December 19, 2014, 7:00:06 PM, you wrote: > > > On Fri, Dec 19, 2014 at 06:31:33PM -0500, Rufe Glick wrote: > >> Hello Jeremy, > > >> Friday, December 19, 2014, 4:55:21 PM, you wrote: > > >> > On Fri, Dec 19, 2014 at 03:58:58PM -0500, Rufe Glick wrote: > >> >> Hello Jeremy, > > >> >> > Do alice and bob have the same user ids on client > >> >> > and server ? > > >> >> Yes, the uids and gids are identical on both server and clientmachines.> > >> > Then it should work. Set debug level 10 on the smbd > >> > and look for ACCESS_DENIED messages in the logs. > > >> I set debug level to 10. This is the output --http://pastebin.com/dfmHqYA7 -- I get in '/var/log/samba/log.' file on the server side when I try to access share as bob on the client machine (and get Permission denied error). There are no ACCESS_DENIED messages in the logs. For the reference - bob's uid/gid are 1002, alice's uid/gid are 1001.> > > Hmmm. Might be a client bug. It's only doing > > a smbd_do_qfilepathinfo: SMB_QUERY_FILE_UNIX_BASIC > > call to check if it can cd into the directory, > > instead of a SMB_QUERY_POSIX_ACL: trans2 > > request. > > > Pinging Steve French... > > By the way of trial and error I seem to find the setup that allows bob tohave read-write access on> the share, but in somewhat lame way. > > First bob's uid must be used with mount options: > > mount -t cifs -o username=bob,password=pass,uid=1002 //192.168.1.112/smbshare /mnt/smbshare> > Second - owner's file mode bits on directory must match or exceed thosethat set for other user using acls.> That is if bob has full rwx permissions on directory (via acl), butowner's bits are r-x, than bob won't> have rwx, but r-x permissions on the directory. As soon as I changeshared directory's owner's> (alice in this case) permissions to rwx, bob gets full permissions aswell (I have to re-login).> > Also if I then try to access the share as alice I get read-only accessfor the share (though> now alice has rwx perimssions as directory owner). Things like 'touchfile.txt' or> 'echo "I am alice" > file.txt' return Permission denied error and createan empty file.> > That is weird and illogical behavior. I would appreciate if someone canexplain me why it works this> way and if it should work this way. > > For the reference the version number as returned 'mount.cifs -V' is 6.2 >Have you tried mounting with noperm (and also tried multiuser mounts)?
Hello Steve, Friday, December 19, 2014, 10:13:47 PM, you wrote:> On Dec 19, 2014 9:05 PM, "Rufe Glick" <rufe.glick at gmail.com> wrote:>> Hello Jeremy,>> Friday, December 19, 2014, 7:00:06 PM, you wrote:>> > On Fri, Dec 19, 2014 at 06:31:33PM -0500, Rufe Glick wrote: >> >> Hello Jeremy,>> >> Friday, December 19, 2014, 4:55:21 PM, you wrote:>> >> > On Fri, Dec 19, 2014 at 03:58:58PM -0500, Rufe Glick wrote: >> >> >> Hello Jeremy,>> >> >> > Do alice and bob have the same user ids on client >> >> >> > and server ?>> >> >> Yes, the uids and gids are identical on both server and client machines.>> >> > Then it should work. Set debug level 10 on the smbd >> >> > and look for ACCESS_DENIED messages in the logs.>> >> I set debug level to 10. This is the output -- http://pastebin.com/dfmHqYA7-- I get in '/var/log/samba/log.' file on the server side when I try to access share as bob on the client machine (and get Permission denied error). There are no ACCESS_DENIED messages in the logs. For the reference - bob's uid/gid are 1002, alice's uid/gid are 1001.>> > Hmmm. Might be a client bug. It's only doing >> > a smbd_do_qfilepathinfo: SMB_QUERY_FILE_UNIX_BASIC >> > call to check if it can cd into the directory, >> > instead of a SMB_QUERY_POSIX_ACL: trans2 >> > request.>> > Pinging Steve French...>> By the way of trial and error I seem to find the setup that allows bob to have read-write access on >> the share, but in somewhat lame way.>> First bob's uid must be used with mount options:>> mount -t cifs -o username=bob,password=pass,uid=1002 //192.168.1.112/smbshare/mnt/smbshare>> Second - owner's file mode bits on directory must match or exceed those that set for other user using acls. >> That is if bob has full rwx permissions on directory (via acl), but owner's bits are r-x, than bob won't >> have rwx, but r-x permissions on the directory. As soon as I change shared directory's owner's >> (alice in this case) permissions to rwx, bob gets full permissions as well (I have to re-login).>> Also if I then try to access the share as alice I get read-only access for the share (though >> now alice has rwx perimssions as directory owner). Things like 'touch file.txt' or >> 'echo "I am alice" > file.txt' return Permission denied error and create an empty file.>> That is weird and illogical behavior. I would appreciate if someone can explain me why it works this >> way and if it should work this way.>> For the reference the version number as returned 'mount.cifs -V' is 6.2> Have you tried mounting with noperm (and also tried multiuser mounts)?I tried mounting with noperm option as you suggested. The resulted mount does take into account the Unix acl permissions. But in this case credentials become shared among all users of the client machine. That is if I mount as bob and bob has read-write perms, then all users of the client machine will have bob's permissions on the share. And if I mount with alice's credentials who has read-only permissions than all users of the client machine will have read-only permissions on the share as well I haven't tried the multiuser option yet. I'll need to figure out how it works first. In the end what I'm trying to achieve is having two users on the local machine one of which has read-only and the other read-write permissions on the remote Samba share. Other users should not have access to the share. Also the two users should be able to access the share without having to remount it (the same Samba credentials should be used). Is this setup possible?