samba - Jan 2015 - ACL ignored on cifs mounted share

Am 22.01.2015 um 12:28 schrieb Rowland Penny:
> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>> Hello,
>>
>> I have the problem that the ACLs are ignored when I mount a share via 
>> cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also tried it 
>> with Gentoo and samba 4.1.14). So I joined a member server like the 
>> wiki describes. Everything works fine. I can manage the users and 
>> permissions with the RSAT tools. For the linux side I use rfc2307 and 
>> winbind on the member. So every user and group has a uid and gid. I 
>> can login at the member server, but when I try to access a shared 
>> folder it failed with permission denied. Here is the output, I hope 
>> this helps to understand the problem:
>>
>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>> /data/studis -o user=klaus,sec=krb5
>> mount.cifs kernel mount options: 
>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=********
>> root at client9:/home/testsamba# getfacl /data/studis/
>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen
>> # file: data/studis/
>> # owner: root
>> # group: root
>> user::rwx
>> user:root:rwx
>> user:klaus:rwx
>> group::r-x
>> group:root:r-x
>> group:rt:rwx
>> group:studis:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:klaus:rwx
>> default:group::r-x
>> default:group:root:r-x
>> default:group:rt:rwx
>> default:group:studis:rwx
>> default:mask::rwx
>> default:other::---
>>
>> root at client9:/home/testsamba# su klaus
>> klaus at client9:/home/testsamba$ id
>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>> klaus at client9:/home/testsamba$ cd /data/studis/
>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>
>> I dont understand, why it is not working. My questions are: Should it 
>> work? Is it a bug or is it a problem in configuration?
>>
>
> OK, this appears to be a Unix problem, the user on the client cannot 
> 'cd' into another dir, this really has nothing to do with cifs.
>
> What does ls -la /data show ?
>
> Rowland
>
>
Hello Rowland,

while my tests I set up a member server that shares a folder, so  I can 
login as AD user. At this member server I could access the folder 
(local). But if I mount the same folder to another member it did not 
work. Thats why I dont think its a Unix problem but maybe I 
misunterstood something.

ls -la says
drwxrwx---+  2 root root    0 Jan 19 15:59 studis



Norbert

On 22/01/15 12:57, Norbert Heinzelmann wrote:
> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>> Hello,
>>>
>>> I have the problem that the ACLs are ignored when I mount a share 
>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also 
>>> tried it with Gentoo and samba 4.1.14). So I joined a member server
>>> like the wiki describes. Everything works fine. I can manage the 
>>> users and permissions with the RSAT tools. For the linux side I use
>>> rfc2307 and winbind on the member. So every user and group has a
uid
>>> and gid. I can login at the member server, but when I try to access
>>> a shared folder it failed with permission denied. Here is the 
>>> output, I hope this helps to understand the problem:
>>>
>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>> /data/studis -o user=klaus,sec=krb5
>>> mount.cifs kernel mount options: 
>>>
ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=********
>>> root at client9:/home/testsamba# getfacl /data/studis/
>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen
>>> # file: data/studis/
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> user:root:rwx
>>> user:klaus:rwx
>>> group::r-x
>>> group:root:r-x
>>> group:rt:rwx
>>> group:studis:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:klaus:rwx
>>> default:group::r-x
>>> default:group:root:r-x
>>> default:group:rt:rwx
>>> default:group:studis:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> root at client9:/home/testsamba# su klaus
>>> klaus at client9:/home/testsamba$ id
>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>
>>> I dont understand, why it is not working. My questions are: Should 
>>> it work? Is it a bug or is it a problem in configuration?
>>>
>>
>> OK, this appears to be a Unix problem, the user on the client cannot 
>> 'cd' into another dir, this really has nothing to do with cifs.
>>
>> What does ls -la /data show ?
>>
>> Rowland
>>
>>
> Hello Rowland,
>
> while my tests I set up a member server that shares a folder, so I can 
> login as AD user. At this member server I could access the folder 
> (local). But if I mount the same folder to another member it did not 
> work. Thats why I dont think its a Unix problem but maybe I 
> misunterstood something.
>
> ls -la says
> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>
>
>
> Norbert
OK, it is a bit since I last mounted a dir from one linux machine to 
another, so I had to refresh my memory by doing it again :-)

Here is what I did, (I actually mounted my home dir on my laptop to 
another machine)

The share in smb.conf on my laptop is simply this:

[homes]
         comment = Home Directories
         browseable = no
         read only = no

I created a new user on the DC:
samba-tool user add cifsuser
Gave 'cifsuser' a uidNumber and gidNumber

Next on the client:

Extract and merge a keytab:
cd /etc
ktutil
ktutil:  add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e arcfour-hmac
Password for cifsuser at EXAMPLE.COM:
ktutil:  wkt cifs.keytab
ktutil:  rkt krb5.keytab
ktutil:  rkt cifs.keytab
ktutil:  wkt krb5.keytab
ktutil:  quit

Restarted samba & winbind to make sure that everything was correct.

Now I had the keytab, I tried to mount my homedir:

mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o 
sec=krb5,username=cifsuser,multiuser

root at test2:~# ls -la /mnt
total 16388
drwxr-xr-x  49 rowland  domain_users      0 Jan 19 18:25 .
drwxr-xr-x  24 root     root           4096 Jan 22 11:30 ..
drwx------   3 rowland  domain_users      0 Aug 12 18:35 .adobe
-rw-------   1 rowland  domain_users  14416 Jan 22 10:55 .bash_history
-rw-r--r--   1 rowland  domain_users    220 Aug 12 16:35 .bash_logout
drwx------  12 rowland  domain_users      0 Jan  8 09:31 .cache
drwxr-xr-x  23 rowland  domain_users      0 Nov 24 09:55 .config
drwx------   3 rowland  domain_users      0 Aug 12 16:35 .dbus
drwxr-xr-x   4 rowland  domain_users      0 Jul 15  2014 dc5
drwxr-xr-x   2 rowland  domain_users      0 Aug 12 16:35 Desktop
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
and so on.

So it works for me.

Rowland

Am 22.01.2015 um 17:17 schrieb Rowland Penny:
> On 22/01/15 12:57, Norbert Heinzelmann wrote:
>> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>>> Hello,
>>>>
>>>> I have the problem that the ACLs are ignored when I mount a
share
>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I
also
>>>> tried it with Gentoo and samba 4.1.14). So I joined a member
server
>>>> like the wiki describes. Everything works fine. I can manage
the
>>>> users and permissions with the RSAT tools. For the linux side I
use
>>>> rfc2307 and winbind on the member. So every user and group has
a
>>>> uid and gid. I can login at the member server, but when I try
to
>>>> access a shared folder it failed with permission denied. Here
is
>>>> the output, I hope this helps to understand the problem:
>>>>
>>>> root at client9:/home/testsamba# mount -vt cifs
//server1/studis
>>>> /data/studis -o user=klaus,sec=krb5
>>>> mount.cifs kernel mount options: 
>>>>
ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=********
>>>>
>>>> root at client9:/home/testsamba# getfacl /data/studis/
>>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen
>>>> # file: data/studis/
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:root:rwx
>>>> user:klaus:rwx
>>>> group::r-x
>>>> group:root:r-x
>>>> group:rt:rwx
>>>> group:studis:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:klaus:rwx
>>>> default:group::r-x
>>>> default:group:root:r-x
>>>> default:group:rt:rwx
>>>> default:group:studis:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at client9:/home/testsamba# su klaus
>>>> klaus at client9:/home/testsamba$ id
>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>>
>>>> I dont understand, why it is not working. My questions are:
Should
>>>> it work? Is it a bug or is it a problem in configuration?
>>>>
>>>
>>> OK, this appears to be a Unix problem, the user on the client
cannot
>>> 'cd' into another dir, this really has nothing to do with
cifs.
>>>
>>> What does ls -la /data show ?
>>>
>>> Rowland
>>>
>>>
>> Hello Rowland,
>>
>> while my tests I set up a member server that shares a folder, so I 
>> can login as AD user. At this member server I could access the folder 
>> (local). But if I mount the same folder to another member it did not 
>> work. Thats why I dont think its a Unix problem but maybe I 
>> misunterstood something.
>>
>> ls -la says
>> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>>
>>
>>
>> Norbert
>
> OK, it is a bit since I last mounted a dir from one linux machine to 
> another, so I had to refresh my memory by doing it again :-)
>
> Here is what I did, (I actually mounted my home dir on my laptop to 
> another machine)
>
> The share in smb.conf on my laptop is simply this:
>
> [homes]
>         comment = Home Directories
>         browseable = no
>         read only = no
>
> I created a new user on the DC:
> samba-tool user add cifsuser
> Gave 'cifsuser' a uidNumber and gidNumber
>
> Next on the client:
>
> Extract and merge a keytab:
> cd /etc
> ktutil
> ktutil:  add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e
arcfour-hmac
> Password for cifsuser at EXAMPLE.COM:
> ktutil:  wkt cifs.keytab
> ktutil:  rkt krb5.keytab
> ktutil:  rkt cifs.keytab
> ktutil:  wkt krb5.keytab
> ktutil:  quit
>
> Restarted samba & winbind to make sure that everything was correct.
>
> Now I had the keytab, I tried to mount my homedir:
>
> mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o 
> sec=krb5,username=cifsuser,multiuser
>
> root at test2:~# ls -la /mnt
> total 16388
> drwxr-xr-x  49 rowland  domain_users      0 Jan 19 18:25 .
> drwxr-xr-x  24 root     root           4096 Jan 22 11:30 ..
> drwx------   3 rowland  domain_users      0 Aug 12 18:35 .adobe
> -rw-------   1 rowland  domain_users  14416 Jan 22 10:55 .bash_history
> -rw-r--r--   1 rowland  domain_users    220 Aug 12 16:35 .bash_logout
> drwx------  12 rowland  domain_users      0 Jan  8 09:31 .cache
> drwxr-xr-x  23 rowland  domain_users      0 Nov 24 09:55 .config
> drwx------   3 rowland  domain_users      0 Aug 12 16:35 .dbus
> drwxr-xr-x   4 rowland  domain_users      0 Jul 15  2014 dc5
> drwxr-xr-x   2 rowland  domain_users      0 Aug 12 16:35 Desktop
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> and so on.
>
> So it works for me.
>
> Rowland
Thank you very much for all your efforts, but I think we talk at 
cross-purposes. What you wrote worked fro me too, but this isn't the 
problem. The question is why extended acls (the "+" sign) only working
at the server and not at the client that mounts the share with cifs. I 
can ask them with getfacl on both sides, they will be showed correctly, 
but they will be ignored at the client. That's the point, it seems that 
these rights are not transferred to the client.

Norbert
**