Hello, I have the problem that the ACLs are ignored when I mount a share via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also tried it with Gentoo and samba 4.1.14). So I joined a member server like the wiki describes. Everything works fine. I can manage the users and permissions with the RSAT tools. For the linux side I use rfc2307 and winbind on the member. So every user and group has a uid and gid. I can login at the member server, but when I try to access a shared folder it failed with permission denied. Here is the output, I hope this helps to understand the problem: root at client9:/home/testsamba# mount -vt cifs //server1/studis /data/studis -o user=klaus,sec=krb5 mount.cifs kernel mount options: ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** root at client9:/home/testsamba# getfacl /data/studis/ getfacl: Entferne f?hrende '/' von absoluten Pfadnamen # file: data/studis/ # owner: root # group: root user::rwx user:root:rwx user:klaus:rwx group::r-x group:root:r-x group:rt:rwx group:studis:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:klaus:rwx default:group::r-x default:group:root:r-x default:group:rt:rwx default:group:studis:rwx default:mask::rwx default:other::--- root at client9:/home/testsamba# su klaus klaus at client9:/home/testsamba$ id uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) klaus at client9:/home/testsamba$ cd /data/studis/ bash: cd: /data/studis/: Keine Berechtigung (permission denied) I dont understand, why it is not working. My questions are: Should it work? Is it a bug or is it a problem in configuration? Sorry for my bad English Best regards Norbert Heinzelmann
On 22/01/15 10:53, Norbert Heinzelmann wrote:> Hello, > > I have the problem that the ACLs are ignored when I mount a share via > cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also tried it > with Gentoo and samba 4.1.14). So I joined a member server like the > wiki describes. Everything works fine. I can manage the users and > permissions with the RSAT tools. For the linux side I use rfc2307 and > winbind on the member. So every user and group has a uid and gid. I > can login at the member server, but when I try to access a shared > folder it failed with permission denied. Here is the output, I hope > this helps to understand the problem: > > root at client9:/home/testsamba# mount -vt cifs //server1/studis > /data/studis -o user=klaus,sec=krb5 > mount.cifs kernel mount options: > ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** > root at client9:/home/testsamba# getfacl /data/studis/ > getfacl: Entferne f?hrende '/' von absoluten Pfadnamen > # file: data/studis/ > # owner: root > # group: root > user::rwx > user:root:rwx > user:klaus:rwx > group::r-x > group:root:r-x > group:rt:rwx > group:studis:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:klaus:rwx > default:group::r-x > default:group:root:r-x > default:group:rt:rwx > default:group:studis:rwx > default:mask::rwx > default:other::--- > > root at client9:/home/testsamba# su klaus > klaus at client9:/home/testsamba$ id > uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) > klaus at client9:/home/testsamba$ cd /data/studis/ > bash: cd: /data/studis/: Keine Berechtigung (permission denied) > > I dont understand, why it is not working. My questions are: Should it > work? Is it a bug or is it a problem in configuration? >OK, this appears to be a Unix problem, the user on the client cannot 'cd' into another dir, this really has nothing to do with cifs. What does ls -la /data show ? Rowland
Am 22.01.2015 um 12:28 schrieb Rowland Penny:> On 22/01/15 10:53, Norbert Heinzelmann wrote: >> Hello, >> >> I have the problem that the ACLs are ignored when I mount a share via >> cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also tried it >> with Gentoo and samba 4.1.14). So I joined a member server like the >> wiki describes. Everything works fine. I can manage the users and >> permissions with the RSAT tools. For the linux side I use rfc2307 and >> winbind on the member. So every user and group has a uid and gid. I >> can login at the member server, but when I try to access a shared >> folder it failed with permission denied. Here is the output, I hope >> this helps to understand the problem: >> >> root at client9:/home/testsamba# mount -vt cifs //server1/studis >> /data/studis -o user=klaus,sec=krb5 >> mount.cifs kernel mount options: >> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >> root at client9:/home/testsamba# getfacl /data/studis/ >> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >> # file: data/studis/ >> # owner: root >> # group: root >> user::rwx >> user:root:rwx >> user:klaus:rwx >> group::r-x >> group:root:r-x >> group:rt:rwx >> group:studis:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:klaus:rwx >> default:group::r-x >> default:group:root:r-x >> default:group:rt:rwx >> default:group:studis:rwx >> default:mask::rwx >> default:other::--- >> >> root at client9:/home/testsamba# su klaus >> klaus at client9:/home/testsamba$ id >> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >> klaus at client9:/home/testsamba$ cd /data/studis/ >> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >> >> I dont understand, why it is not working. My questions are: Should it >> work? Is it a bug or is it a problem in configuration? >> > > OK, this appears to be a Unix problem, the user on the client cannot > 'cd' into another dir, this really has nothing to do with cifs. > > What does ls -la /data show ? > > Rowland > >Hello Rowland, while my tests I set up a member server that shares a folder, so I can login as AD user. At this member server I could access the folder (local). But if I mount the same folder to another member it did not work. Thats why I dont think its a Unix problem but maybe I misunterstood something. ls -la says drwxrwx---+ 2 root root 0 Jan 19 15:59 studis Norbert
Am 22.01.2015 um 13:14 schrieb Rowland Penny:> On 22/01/15 11:52, Norbert Heinzelmann wrote: >> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>> Hello, >>>> >>>> I have the problem that the ACLs are ignored when I mount a share >>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also >>>> tried it with Gentoo and samba 4.1.14). So I joined a member server >>>> like the wiki describes. Everything works fine. I can manage the >>>> users and permissions with the RSAT tools. For the linux side I use >>>> rfc2307 and winbind on the member. So every user and group has a >>>> uid and gid. I can login at the member server, but when I try to >>>> access a shared folder it failed with permission denied. Here is >>>> the output, I hope this helps to understand the problem: >>>> >>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis >>>> /data/studis -o user=klaus,sec=krb5 >>>> mount.cifs kernel mount options: >>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >>>> >>>> root at client9:/home/testsamba# getfacl /data/studis/ >>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >>>> # file: data/studis/ >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:klaus:rwx >>>> group::r-x >>>> group:root:r-x >>>> group:rt:rwx >>>> group:studis:rwx >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:klaus:rwx >>>> default:group::r-x >>>> default:group:root:r-x >>>> default:group:rt:rwx >>>> default:group:studis:rwx >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> root at client9:/home/testsamba# su klaus >>>> klaus at client9:/home/testsamba$ id >>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >>>> klaus at client9:/home/testsamba$ cd /data/studis/ >>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >>>> >>>> I dont understand, why it is not working. My questions are: Should >>>> it work? Is it a bug or is it a problem in configuration? >>>> >>> >>> OK, this appears to be a Unix problem, the user on the client cannot >>> 'cd' into another dir, this really has nothing to do with cifs. >>> >>> What does ls -la /data show ? >>> >>> Rowland >>> >>> >> Hello Rowland, >> >> while my tests I set up a member server that shares a folder, so I >> can login as AD user. At this member server I could access the folder >> (local). But if I mount the same folder to another member it did not >> work. Thats why I dont think its a Unix problem but maybe I >> misunterstood something. >> >> ls -la says >> drwxrwx---+ 2 root root 0 Jan 19 15:59 studis >> >> >> >> Norbert > > No it didn't, it probably said something like: > > drwxr-x--- 3 root root 4096 Jan 22 11:18 . > drwxr-xr-x 26 root root 4096 Jan 22 11:18 .. > drwxr-xr-- 2 root root 4096 Jan 22 11:18 studis >You are right. I cut the rest.> But anyway working from what you posted 'drwxrwx---+' > The 'd' means it is a directory > The first 'rwx' means that the owner 'root' can read, write and enter > the directory > The second 'rwx' means that members of the 'root' group can read, > write and enter the directory > The last '---' means that others cannot read, write or enter the directory > The '+' means that there are ACL's on the directory >And I mean these ACL's, as I showed in my first post, the user klaus has rwx rights on this folder. And he is also in the group rt which has rwx rights too. When I access this folder locally it works, only the cifs mounted folder doesn't use the ACL's. That is what I don't understand.> Now unless 'klaus' is a member of the 'root' group, he will not be > able to 'cd' into the directory at the Unix level. Try changing the > setting with 'chmod -R o+x /data' >When I change the owner, shure it works. But I want to use ACL's.> RowlandNorbert
Am 22.01.2015 um 13:37 schrieb Rowland Penny:> On 22/01/15 12:22, Norbert Heinzelmann wrote: >> Am 22.01.2015 um 13:14 schrieb Rowland Penny: >>> On 22/01/15 11:52, Norbert Heinzelmann wrote: >>>> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>>>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>>>> Hello, >>>>>> >>>>>> I have the problem that the ACLs are ignored when I mount a share >>>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also >>>>>> tried it with Gentoo and samba 4.1.14). So I joined a member >>>>>> server like the wiki describes. Everything works fine. I can >>>>>> manage the users and permissions with the RSAT tools. For the >>>>>> linux side I use rfc2307 and winbind on the member. So every user >>>>>> and group has a uid and gid. I can login at the member server, >>>>>> but when I try to access a shared folder it failed with >>>>>> permission denied. Here is the output, I hope this helps to >>>>>> understand the problem: >>>>>> >>>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis >>>>>> /data/studis -o user=klaus,sec=krb5 >>>>>> mount.cifs kernel mount options: >>>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >>>>>> >>>>>> root at client9:/home/testsamba# getfacl /data/studis/ >>>>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >>>>>> # file: data/studis/ >>>>>> # owner: root >>>>>> # group: root >>>>>> user::rwx >>>>>> user:root:rwx >>>>>> user:klaus:rwx >>>>>> group::r-x >>>>>> group:root:r-x >>>>>> group:rt:rwx >>>>>> group:studis:rwx >>>>>> mask::rwx >>>>>> other::--- >>>>>> default:user::rwx >>>>>> default:user:root:rwx >>>>>> default:user:klaus:rwx >>>>>> default:group::r-x >>>>>> default:group:root:r-x >>>>>> default:group:rt:rwx >>>>>> default:group:studis:rwx >>>>>> default:mask::rwx >>>>>> default:other::--- >>>>>> >>>>>> root at client9:/home/testsamba# su klaus >>>>>> klaus at client9:/home/testsamba$ id >>>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >>>>>> klaus at client9:/home/testsamba$ cd /data/studis/ >>>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >>>>>> >>>>>> I dont understand, why it is not working. My questions are: >>>>>> Should it work? Is it a bug or is it a problem in configuration? >>>>>> >>>>> >>>>> OK, this appears to be a Unix problem, the user on the client >>>>> cannot 'cd' into another dir, this really has nothing to do with >>>>> cifs. >>>>> >>>>> What does ls -la /data show ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> Hello Rowland, >>>> >>>> while my tests I set up a member server that shares a folder, so I >>>> can login as AD user. At this member server I could access the >>>> folder (local). But if I mount the same folder to another member it >>>> did not work. Thats why I dont think its a Unix problem but maybe I >>>> misunterstood something. >>>> >>>> ls -la says >>>> drwxrwx---+ 2 root root 0 Jan 19 15:59 studis >>>> >>>> >>>> >>>> Norbert >>> >>> No it didn't, it probably said something like: >>> >>> drwxr-x--- 3 root root 4096 Jan 22 11:18 . >>> drwxr-xr-x 26 root root 4096 Jan 22 11:18 .. >>> drwxr-xr-- 2 root root 4096 Jan 22 11:18 studis >>> >> You are right. I cut the rest. >>> But anyway working from what you posted 'drwxrwx---+' >>> The 'd' means it is a directory >>> The first 'rwx' means that the owner 'root' can read, write and >>> enter the directory >>> The second 'rwx' means that members of the 'root' group can read, >>> write and enter the directory >>> The last '---' means that others cannot read, write or enter the >>> directory >>> The '+' means that there are ACL's on the directory >>> >> And I mean these ACL's, as I showed in my first post, the user klaus >> has rwx rights on this folder. And he is also in the group rt which >> has rwx rights too. When I access this folder locally it works, only >> the cifs mounted folder doesn't use the ACL's. That is what I don't >> understand. >>> Now unless 'klaus' is a member of the 'root' group, he will not be >>> able to 'cd' into the directory at the Unix level. Try changing the >>> setting with 'chmod -R o+x /data' >>> >> When I change the owner, shure it works. But I want to use ACL's. >>> Rowland >> Norbert > > ACL's = WINDOWS > acl's = UNIX > > When 'klaus' tries to 'cd' he will use acl's, so at the Unix level he > needs access. > > Try having a look here: > http://linuxcostablanca.blogspot.co.uk/2013/05/samba-3615-file-server-for-samba-406-ad.html > > It may give you the required hints. > > Rowland >It didn't help me. When I try with i.e. with force group, I get an input/output error when I try to mount the share. Norbert