Am 22.01.2015 um 12:28 schrieb Rowland Penny:> On 22/01/15 10:53, Norbert Heinzelmann wrote: >> Hello, >> >> I have the problem that the ACLs are ignored when I mount a share via >> cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also tried it >> with Gentoo and samba 4.1.14). So I joined a member server like the >> wiki describes. Everything works fine. I can manage the users and >> permissions with the RSAT tools. For the linux side I use rfc2307 and >> winbind on the member. So every user and group has a uid and gid. I >> can login at the member server, but when I try to access a shared >> folder it failed with permission denied. Here is the output, I hope >> this helps to understand the problem: >> >> root at client9:/home/testsamba# mount -vt cifs //server1/studis >> /data/studis -o user=klaus,sec=krb5 >> mount.cifs kernel mount options: >> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >> root at client9:/home/testsamba# getfacl /data/studis/ >> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >> # file: data/studis/ >> # owner: root >> # group: root >> user::rwx >> user:root:rwx >> user:klaus:rwx >> group::r-x >> group:root:r-x >> group:rt:rwx >> group:studis:rwx >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:klaus:rwx >> default:group::r-x >> default:group:root:r-x >> default:group:rt:rwx >> default:group:studis:rwx >> default:mask::rwx >> default:other::--- >> >> root at client9:/home/testsamba# su klaus >> klaus at client9:/home/testsamba$ id >> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >> klaus at client9:/home/testsamba$ cd /data/studis/ >> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >> >> I dont understand, why it is not working. My questions are: Should it >> work? Is it a bug or is it a problem in configuration? >> > > OK, this appears to be a Unix problem, the user on the client cannot > 'cd' into another dir, this really has nothing to do with cifs. > > What does ls -la /data show ? > > Rowland > >Hello Rowland, while my tests I set up a member server that shares a folder, so I can login as AD user. At this member server I could access the folder (local). But if I mount the same folder to another member it did not work. Thats why I dont think its a Unix problem but maybe I misunterstood something. ls -la says drwxrwx---+ 2 root root 0 Jan 19 15:59 studis Norbert
On 22/01/15 12:57, Norbert Heinzelmann wrote:> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>> Hello, >>> >>> I have the problem that the ACLs are ignored when I mount a share >>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also >>> tried it with Gentoo and samba 4.1.14). So I joined a member server >>> like the wiki describes. Everything works fine. I can manage the >>> users and permissions with the RSAT tools. For the linux side I use >>> rfc2307 and winbind on the member. So every user and group has a uid >>> and gid. I can login at the member server, but when I try to access >>> a shared folder it failed with permission denied. Here is the >>> output, I hope this helps to understand the problem: >>> >>> root at client9:/home/testsamba# mount -vt cifs //server1/studis >>> /data/studis -o user=klaus,sec=krb5 >>> mount.cifs kernel mount options: >>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >>> root at client9:/home/testsamba# getfacl /data/studis/ >>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >>> # file: data/studis/ >>> # owner: root >>> # group: root >>> user::rwx >>> user:root:rwx >>> user:klaus:rwx >>> group::r-x >>> group:root:r-x >>> group:rt:rwx >>> group:studis:rwx >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:klaus:rwx >>> default:group::r-x >>> default:group:root:r-x >>> default:group:rt:rwx >>> default:group:studis:rwx >>> default:mask::rwx >>> default:other::--- >>> >>> root at client9:/home/testsamba# su klaus >>> klaus at client9:/home/testsamba$ id >>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >>> klaus at client9:/home/testsamba$ cd /data/studis/ >>> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >>> >>> I dont understand, why it is not working. My questions are: Should >>> it work? Is it a bug or is it a problem in configuration? >>> >> >> OK, this appears to be a Unix problem, the user on the client cannot >> 'cd' into another dir, this really has nothing to do with cifs. >> >> What does ls -la /data show ? >> >> Rowland >> >> > Hello Rowland, > > while my tests I set up a member server that shares a folder, so I can > login as AD user. At this member server I could access the folder > (local). But if I mount the same folder to another member it did not > work. Thats why I dont think its a Unix problem but maybe I > misunterstood something. > > ls -la says > drwxrwx---+ 2 root root 0 Jan 19 15:59 studis > > > > NorbertOK, it is a bit since I last mounted a dir from one linux machine to another, so I had to refresh my memory by doing it again :-) Here is what I did, (I actually mounted my home dir on my laptop to another machine) The share in smb.conf on my laptop is simply this: [homes] comment = Home Directories browseable = no read only = no I created a new user on the DC: samba-tool user add cifsuser Gave 'cifsuser' a uidNumber and gidNumber Next on the client: Extract and merge a keytab: cd /etc ktutil ktutil: add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e arcfour-hmac Password for cifsuser at EXAMPLE.COM: ktutil: wkt cifs.keytab ktutil: rkt krb5.keytab ktutil: rkt cifs.keytab ktutil: wkt krb5.keytab ktutil: quit Restarted samba & winbind to make sure that everything was correct. Now I had the keytab, I tried to mount my homedir: mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o sec=krb5,username=cifsuser,multiuser root at test2:~# ls -la /mnt total 16388 drwxr-xr-x 49 rowland domain_users 0 Jan 19 18:25 . drwxr-xr-x 24 root root 4096 Jan 22 11:30 .. drwx------ 3 rowland domain_users 0 Aug 12 18:35 .adobe -rw------- 1 rowland domain_users 14416 Jan 22 10:55 .bash_history -rw-r--r-- 1 rowland domain_users 220 Aug 12 16:35 .bash_logout drwx------ 12 rowland domain_users 0 Jan 8 09:31 .cache drwxr-xr-x 23 rowland domain_users 0 Nov 24 09:55 .config drwx------ 3 rowland domain_users 0 Aug 12 16:35 .dbus drwxr-xr-x 4 rowland domain_users 0 Jul 15 2014 dc5 drwxr-xr-x 2 rowland domain_users 0 Aug 12 16:35 Desktop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ and so on. So it works for me. Rowland
Am 22.01.2015 um 17:17 schrieb Rowland Penny:> On 22/01/15 12:57, Norbert Heinzelmann wrote: >> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>> Hello, >>>> >>>> I have the problem that the ACLs are ignored when I mount a share >>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also >>>> tried it with Gentoo and samba 4.1.14). So I joined a member server >>>> like the wiki describes. Everything works fine. I can manage the >>>> users and permissions with the RSAT tools. For the linux side I use >>>> rfc2307 and winbind on the member. So every user and group has a >>>> uid and gid. I can login at the member server, but when I try to >>>> access a shared folder it failed with permission denied. Here is >>>> the output, I hope this helps to understand the problem: >>>> >>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis >>>> /data/studis -o user=klaus,sec=krb5 >>>> mount.cifs kernel mount options: >>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >>>> >>>> root at client9:/home/testsamba# getfacl /data/studis/ >>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >>>> # file: data/studis/ >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:klaus:rwx >>>> group::r-x >>>> group:root:r-x >>>> group:rt:rwx >>>> group:studis:rwx >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:klaus:rwx >>>> default:group::r-x >>>> default:group:root:r-x >>>> default:group:rt:rwx >>>> default:group:studis:rwx >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> root at client9:/home/testsamba# su klaus >>>> klaus at client9:/home/testsamba$ id >>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >>>> klaus at client9:/home/testsamba$ cd /data/studis/ >>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >>>> >>>> I dont understand, why it is not working. My questions are: Should >>>> it work? Is it a bug or is it a problem in configuration? >>>> >>> >>> OK, this appears to be a Unix problem, the user on the client cannot >>> 'cd' into another dir, this really has nothing to do with cifs. >>> >>> What does ls -la /data show ? >>> >>> Rowland >>> >>> >> Hello Rowland, >> >> while my tests I set up a member server that shares a folder, so I >> can login as AD user. At this member server I could access the folder >> (local). But if I mount the same folder to another member it did not >> work. Thats why I dont think its a Unix problem but maybe I >> misunterstood something. >> >> ls -la says >> drwxrwx---+ 2 root root 0 Jan 19 15:59 studis >> >> >> >> Norbert > > OK, it is a bit since I last mounted a dir from one linux machine to > another, so I had to refresh my memory by doing it again :-) > > Here is what I did, (I actually mounted my home dir on my laptop to > another machine) > > The share in smb.conf on my laptop is simply this: > > [homes] > comment = Home Directories > browseable = no > read only = no > > I created a new user on the DC: > samba-tool user add cifsuser > Gave 'cifsuser' a uidNumber and gidNumber > > Next on the client: > > Extract and merge a keytab: > cd /etc > ktutil > ktutil: add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e arcfour-hmac > Password for cifsuser at EXAMPLE.COM: > ktutil: wkt cifs.keytab > ktutil: rkt krb5.keytab > ktutil: rkt cifs.keytab > ktutil: wkt krb5.keytab > ktutil: quit > > Restarted samba & winbind to make sure that everything was correct. > > Now I had the keytab, I tried to mount my homedir: > > mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o > sec=krb5,username=cifsuser,multiuser > > root at test2:~# ls -la /mnt > total 16388 > drwxr-xr-x 49 rowland domain_users 0 Jan 19 18:25 . > drwxr-xr-x 24 root root 4096 Jan 22 11:30 .. > drwx------ 3 rowland domain_users 0 Aug 12 18:35 .adobe > -rw------- 1 rowland domain_users 14416 Jan 22 10:55 .bash_history > -rw-r--r-- 1 rowland domain_users 220 Aug 12 16:35 .bash_logout > drwx------ 12 rowland domain_users 0 Jan 8 09:31 .cache > drwxr-xr-x 23 rowland domain_users 0 Nov 24 09:55 .config > drwx------ 3 rowland domain_users 0 Aug 12 16:35 .dbus > drwxr-xr-x 4 rowland domain_users 0 Jul 15 2014 dc5 > drwxr-xr-x 2 rowland domain_users 0 Aug 12 16:35 Desktop > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > and so on. > > So it works for me. > > RowlandThank you very much for all your efforts, but I think we talk at cross-purposes. What you wrote worked fro me too, but this isn't the problem. The question is why extended acls (the "+" sign) only working at the server and not at the client that mounts the share with cifs. I can ask them with getfacl on both sides, they will be showed correctly, but they will be ignored at the client. That's the point, it seems that these rights are not transferred to the client. Norbert **