thr3ads.net - samba - [Samba] Samba behaves differently than windows with layered-directory permissions [Jan 2015]

If this information is useful, please help other people find it:
Share via:

Shyam Kaushik

2015-Jan-16 19:43 UTC

[Samba] Samba behaves differently than windows with layered-directory permissions

Hi Folks,



We are using samba-4.0.22. We have a very strange issue:



We have samba connected to AD & a folder layout like AA\BB\CC\



Folder AA ? has explicit permission for "AD\user1"

Folder BB ? does not inherit permission from AA & "AD\user1" is
explicitly
removed

Folder CC ? does not inherit permission from BB & "AD\user1" is
added



If we browse through this folder layout in windows (logged in as
?AD\user1?) we see that

access to Folder AA - works

access to Folder BB - access denied as expected

access to Folder AA\BB\CC ? works (i.e. specifying full path makes it
traverse the path & reach the end-directory, though an intermediate
directory does not have permission for the user)



The same folder/permission layout with a samba share

access to Folder AA - works

access to Folder BB - access denied as expected

access to Folder AA\BB\CC - access denied (i.e. even after specifying full
path, it fails)


>From Samba logs, this is the error that shows up (OpenDir on AA/BB levelfails for User1 & it stops there/returns error)

[2015/01/16 20:10:20.848204,  5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:421(unix_convert)

  unix_convert begin: name = AA/BB/CC, dirpath = AA/BB, start = CC

[2015/01/16 20:10:20.848298, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)

  is_mangled CC ?

[2015/01/16 20:10:20.848363, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)

  is_mangled_component CC (len 2) ?

[2015/01/16 20:10:20.848421, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)

  is_mangled CC ?

[2015/01/16 20:10:20.848473, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)

  is_mangled_component CC (len 2) ?

[2015/01/16 20:10:20.848535,  5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/dir.c:1613(OpenDir)

  OpenDir: Can't open AA/BB. Permission denied

[2015/01/16 20:10:20.848606,  3, pid=14604, effective(2021341, 2000514),
real(2021341, 0)]
../source3/smbd/filename.c:1150(get_real_filename_full_scan)

  scan dir didn't open dir [AA/BB]

[2015/01/16 20:10:20.848661, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)

 is_mangled CC ?

[2015/01/16 20:10:20.848712, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)

  is_mangled_component CC (len 2) ?

[2015/01/16 20:10:20.848764,  5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:816(unix_convert)

  New file CC

[2015/01/16 20:10:20.848830,  5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:1050(check_name)

  check_name: name AA/BB/CC failed with NT_STATUS_ACCESS_DENIED

[2015/01/16 20:10:20.848885,  3, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:1402(filename_convert_internal)

  filename_convert_internal: check_name failed for name AA/BB/CC with
NT_STATUS_ACCESS_DENIED

[2015/01/16 20:10:20.848948, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)]
../source3/smbd/smb2_server.c:2618(smbd_smb2_request_error_ex)

  smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_create.c:303

[2015/01/16 20:10:20.849008, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)]
../source3/smbd/smb2_server.c:2511(smbd_smb2_request_done_ex)

  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8]
dyn[yes:1] at ../source3/smbd/smb2_server.c:2671



Is this a known issue with Samba? Any suggestions on how to fix this & make
it similar to Native Windows behavior? Any help is much appreciated. Thanks.



--Shyam

Reindl Harald

2015-Jan-19 09:21 UTC

head link

[Samba] Samba behaves differently than windows with layered-directory permissions

Am 16.01.2015 um 20:43 schrieb Shyam Kaushik:> The same folder/permission layout with a samba share
>
> access to Folder AA - works
>
> access to Folder BB - access denied as expected
>
> access to Folder AA\BB\CC - access denied (i.e. even after specifying full
> path, it fails)
that's expected *unix behavior* from the filesystem *below* samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20150119/65f6d7fd/attachment.pgp>

Seemingly Similar Threads

Search for more seemingly similar threads

samba - Jan 2015 - Samba behaves differently than windows with layered-directory permissions

[Samba] Samba behaves differently than windows with layered-directory permissions

[Samba] Samba behaves differently than windows with layered-directory permissions

Seemingly Similar Threads