Shyam Kaushik
2015-Jan-16 19:43 UTC
[Samba] Samba behaves differently than windows with layered-directory permissions
Hi Folks, We are using samba-4.0.22. We have a very strange issue: We have samba connected to AD & a folder layout like AA\BB\CC\ Folder AA ? has explicit permission for "AD\user1" Folder BB ? does not inherit permission from AA & "AD\user1" is explicitly removed Folder CC ? does not inherit permission from BB & "AD\user1" is added If we browse through this folder layout in windows (logged in as ?AD\user1?) we see that access to Folder AA - works access to Folder BB - access denied as expected access to Folder AA\BB\CC ? works (i.e. specifying full path makes it traverse the path & reach the end-directory, though an intermediate directory does not have permission for the user) The same folder/permission layout with a samba share access to Folder AA - works access to Folder BB - access denied as expected access to Folder AA\BB\CC - access denied (i.e. even after specifying full path, it fails)>From Samba logs, this is the error that shows up (OpenDir on AA/BB levelfails for User1 & it stops there/returns error) [2015/01/16 20:10:20.848204, 5, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/filename.c:421(unix_convert) unix_convert begin: name = AA/BB/CC, dirpath = AA/BB, start = CC [2015/01/16 20:10:20.848298, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled) is_mangled CC ? [2015/01/16 20:10:20.848363, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component) is_mangled_component CC (len 2) ? [2015/01/16 20:10:20.848421, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled) is_mangled CC ? [2015/01/16 20:10:20.848473, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component) is_mangled_component CC (len 2) ? [2015/01/16 20:10:20.848535, 5, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/dir.c:1613(OpenDir) OpenDir: Can't open AA/BB. Permission denied [2015/01/16 20:10:20.848606, 3, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/filename.c:1150(get_real_filename_full_scan) scan dir didn't open dir [AA/BB] [2015/01/16 20:10:20.848661, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled) is_mangled CC ? [2015/01/16 20:10:20.848712, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component) is_mangled_component CC (len 2) ? [2015/01/16 20:10:20.848764, 5, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/filename.c:816(unix_convert) New file CC [2015/01/16 20:10:20.848830, 5, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/filename.c:1050(check_name) check_name: name AA/BB/CC failed with NT_STATUS_ACCESS_DENIED [2015/01/16 20:10:20.848885, 3, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/filename.c:1402(filename_convert_internal) filename_convert_internal: check_name failed for name AA/BB/CC with NT_STATUS_ACCESS_DENIED [2015/01/16 20:10:20.848948, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/smb2_server.c:2618(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:303 [2015/01/16 20:10:20.849008, 10, pid=14604, effective(2021341, 2000514), real(2021341, 0)] ../source3/smbd/smb2_server.c:2511(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2671 Is this a known issue with Samba? Any suggestions on how to fix this & make it similar to Native Windows behavior? Any help is much appreciated. Thanks. --Shyam
Reindl Harald
2015-Jan-19 09:21 UTC
[Samba] Samba behaves differently than windows with layered-directory permissions
Am 16.01.2015 um 20:43 schrieb Shyam Kaushik:> The same folder/permission layout with a samba share > > access to Folder AA - works > > access to Folder BB - access denied as expected > > access to Folder AA\BB\CC - access denied (i.e. even after specifying full > path, it fails)that's expected *unix behavior* from the filesystem *below* samba -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150119/65f6d7fd/attachment.pgp>