Am 22.01.2015 um 17:17 schrieb Rowland Penny:> On 22/01/15 12:57, Norbert Heinzelmann wrote: >> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>> Hello, >>>> >>>> I have the problem that the ACLs are ignored when I mount a share >>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also >>>> tried it with Gentoo and samba 4.1.14). So I joined a member server >>>> like the wiki describes. Everything works fine. I can manage the >>>> users and permissions with the RSAT tools. For the linux side I use >>>> rfc2307 and winbind on the member. So every user and group has a >>>> uid and gid. I can login at the member server, but when I try to >>>> access a shared folder it failed with permission denied. Here is >>>> the output, I hope this helps to understand the problem: >>>> >>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis >>>> /data/studis -o user=klaus,sec=krb5 >>>> mount.cifs kernel mount options: >>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >>>> >>>> root at client9:/home/testsamba# getfacl /data/studis/ >>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >>>> # file: data/studis/ >>>> # owner: root >>>> # group: root >>>> user::rwx >>>> user:root:rwx >>>> user:klaus:rwx >>>> group::r-x >>>> group:root:r-x >>>> group:rt:rwx >>>> group:studis:rwx >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:klaus:rwx >>>> default:group::r-x >>>> default:group:root:r-x >>>> default:group:rt:rwx >>>> default:group:studis:rwx >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> root at client9:/home/testsamba# su klaus >>>> klaus at client9:/home/testsamba$ id >>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >>>> klaus at client9:/home/testsamba$ cd /data/studis/ >>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >>>> >>>> I dont understand, why it is not working. My questions are: Should >>>> it work? Is it a bug or is it a problem in configuration? >>>> >>> >>> OK, this appears to be a Unix problem, the user on the client cannot >>> 'cd' into another dir, this really has nothing to do with cifs. >>> >>> What does ls -la /data show ? >>> >>> Rowland >>> >>> >> Hello Rowland, >> >> while my tests I set up a member server that shares a folder, so I >> can login as AD user. At this member server I could access the folder >> (local). But if I mount the same folder to another member it did not >> work. Thats why I dont think its a Unix problem but maybe I >> misunterstood something. >> >> ls -la says >> drwxrwx---+ 2 root root 0 Jan 19 15:59 studis >> >> >> >> Norbert > > OK, it is a bit since I last mounted a dir from one linux machine to > another, so I had to refresh my memory by doing it again :-) > > Here is what I did, (I actually mounted my home dir on my laptop to > another machine) > > The share in smb.conf on my laptop is simply this: > > [homes] > comment = Home Directories > browseable = no > read only = no > > I created a new user on the DC: > samba-tool user add cifsuser > Gave 'cifsuser' a uidNumber and gidNumber > > Next on the client: > > Extract and merge a keytab: > cd /etc > ktutil > ktutil: add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e arcfour-hmac > Password for cifsuser at EXAMPLE.COM: > ktutil: wkt cifs.keytab > ktutil: rkt krb5.keytab > ktutil: rkt cifs.keytab > ktutil: wkt krb5.keytab > ktutil: quit > > Restarted samba & winbind to make sure that everything was correct. > > Now I had the keytab, I tried to mount my homedir: > > mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o > sec=krb5,username=cifsuser,multiuser > > root at test2:~# ls -la /mnt > total 16388 > drwxr-xr-x 49 rowland domain_users 0 Jan 19 18:25 . > drwxr-xr-x 24 root root 4096 Jan 22 11:30 .. > drwx------ 3 rowland domain_users 0 Aug 12 18:35 .adobe > -rw------- 1 rowland domain_users 14416 Jan 22 10:55 .bash_history > -rw-r--r-- 1 rowland domain_users 220 Aug 12 16:35 .bash_logout > drwx------ 12 rowland domain_users 0 Jan 8 09:31 .cache > drwxr-xr-x 23 rowland domain_users 0 Nov 24 09:55 .config > drwx------ 3 rowland domain_users 0 Aug 12 16:35 .dbus > drwxr-xr-x 4 rowland domain_users 0 Jul 15 2014 dc5 > drwxr-xr-x 2 rowland domain_users 0 Aug 12 16:35 Desktop > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > and so on. > > So it works for me. > > RowlandThank you very much for all your efforts, but I think we talk at cross-purposes. What you wrote worked fro me too, but this isn't the problem. The question is why extended acls (the "+" sign) only working at the server and not at the client that mounts the share with cifs. I can ask them with getfacl on both sides, they will be showed correctly, but they will be ignored at the client. That's the point, it seems that these rights are not transferred to the client. Norbert **
On 23/01/15 07:34, Norbert Heinzelmann wrote:> > Am 22.01.2015 um 17:17 schrieb Rowland Penny: >> On 22/01/15 12:57, Norbert Heinzelmann wrote: >>> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>>> Hello, >>>>> >>>>> I have the problem that the ACLs are ignored when I mount a share >>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also >>>>> tried it with Gentoo and samba 4.1.14). So I joined a member >>>>> server like the wiki describes. Everything works fine. I can >>>>> manage the users and permissions with the RSAT tools. For the >>>>> linux side I use rfc2307 and winbind on the member. So every user >>>>> and group has a uid and gid. I can login at the member server, but >>>>> when I try to access a shared folder it failed with permission >>>>> denied. Here is the output, I hope this helps to understand the >>>>> problem: >>>>> >>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis >>>>> /data/studis -o user=klaus,sec=krb5 >>>>> mount.cifs kernel mount options: >>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >>>>> >>>>> root at client9:/home/testsamba# getfacl /data/studis/ >>>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >>>>> # file: data/studis/ >>>>> # owner: root >>>>> # group: root >>>>> user::rwx >>>>> user:root:rwx >>>>> user:klaus:rwx >>>>> group::r-x >>>>> group:root:r-x >>>>> group:rt:rwx >>>>> group:studis:rwx >>>>> mask::rwx >>>>> other::--- >>>>> default:user::rwx >>>>> default:user:root:rwx >>>>> default:user:klaus:rwx >>>>> default:group::r-x >>>>> default:group:root:r-x >>>>> default:group:rt:rwx >>>>> default:group:studis:rwx >>>>> default:mask::rwx >>>>> default:other::--- >>>>> >>>>> root at client9:/home/testsamba# su klaus >>>>> klaus at client9:/home/testsamba$ id >>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >>>>> klaus at client9:/home/testsamba$ cd /data/studis/ >>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >>>>> >>>>> I dont understand, why it is not working. My questions are: Should >>>>> it work? Is it a bug or is it a problem in configuration? >>>>> >>>> >>>> OK, this appears to be a Unix problem, the user on the client >>>> cannot 'cd' into another dir, this really has nothing to do with cifs. >>>> >>>> What does ls -la /data show ? >>>> >>>> Rowland >>>> >>>> >>> Hello Rowland, >>> >>> while my tests I set up a member server that shares a folder, so I >>> can login as AD user. At this member server I could access the >>> folder (local). But if I mount the same folder to another member it >>> did not work. Thats why I dont think its a Unix problem but maybe I >>> misunterstood something. >>> >>> ls -la says >>> drwxrwx---+ 2 root root 0 Jan 19 15:59 studis >>> >>> >>> >>> Norbert >> >> OK, it is a bit since I last mounted a dir from one linux machine to >> another, so I had to refresh my memory by doing it again :-) >> >> Here is what I did, (I actually mounted my home dir on my laptop to >> another machine) >> >> The share in smb.conf on my laptop is simply this: >> >> [homes] >> comment = Home Directories >> browseable = no >> read only = no >> >> I created a new user on the DC: >> samba-tool user add cifsuser >> Gave 'cifsuser' a uidNumber and gidNumber >> >> Next on the client: >> >> Extract and merge a keytab: >> cd /etc >> ktutil >> ktutil: add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e >> arcfour-hmac >> Password for cifsuser at EXAMPLE.COM: >> ktutil: wkt cifs.keytab >> ktutil: rkt krb5.keytab >> ktutil: rkt cifs.keytab >> ktutil: wkt krb5.keytab >> ktutil: quit >> >> Restarted samba & winbind to make sure that everything was correct. >> >> Now I had the keytab, I tried to mount my homedir: >> >> mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o >> sec=krb5,username=cifsuser,multiuser >> >> root at test2:~# ls -la /mnt >> total 16388 >> drwxr-xr-x 49 rowland domain_users 0 Jan 19 18:25 . >> drwxr-xr-x 24 root root 4096 Jan 22 11:30 .. >> drwx------ 3 rowland domain_users 0 Aug 12 18:35 .adobe >> -rw------- 1 rowland domain_users 14416 Jan 22 10:55 .bash_history >> -rw-r--r-- 1 rowland domain_users 220 Aug 12 16:35 .bash_logout >> drwx------ 12 rowland domain_users 0 Jan 8 09:31 .cache >> drwxr-xr-x 23 rowland domain_users 0 Nov 24 09:55 .config >> drwx------ 3 rowland domain_users 0 Aug 12 16:35 .dbus >> drwxr-xr-x 4 rowland domain_users 0 Jul 15 2014 dc5 >> drwxr-xr-x 2 rowland domain_users 0 Aug 12 16:35 Desktop >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> and so on. >> >> So it works for me. >> >> Rowland > > Thank you very much for all your efforts, but I think we talk at > cross-purposes. What you wrote worked fro me too, but this isn't the > problem. The question is why extended acls (the "+" sign) only working > at the server and not at the client that mounts the share with cifs. I > can ask them with getfacl on both sides, they will be showed > correctly, but they will be ignored at the client. That's the point, > it seems that these rights are not transferred to the client. > > Norbert > ** > >If you connect to a Samba share from a windows client it will honour any ACL's (the + sign) set on the share because that is what it expects to find. If you login to the computer, the user is now a Unix user and will ignore the ACL's and use the Unix acl's (rwx) because that is what it expects to find. So as I said: WINDOWS USER = ACL UNIX USER= acl Rowland
Am 23.01.2015 um 10:19 schrieb Rowland Penny:> On 23/01/15 07:34, Norbert Heinzelmann wrote: >> >> Am 22.01.2015 um 17:17 schrieb Rowland Penny: >>> On 22/01/15 12:57, Norbert Heinzelmann wrote: >>>> Am 22.01.2015 um 12:28 schrieb Rowland Penny: >>>>> On 22/01/15 10:53, Norbert Heinzelmann wrote: >>>>>> Hello, >>>>>> >>>>>> I have the problem that the ACLs are ignored when I mount a share >>>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also >>>>>> tried it with Gentoo and samba 4.1.14). So I joined a member >>>>>> server like the wiki describes. Everything works fine. I can >>>>>> manage the users and permissions with the RSAT tools. For the >>>>>> linux side I use rfc2307 and winbind on the member. So every user >>>>>> and group has a uid and gid. I can login at the member server, >>>>>> but when I try to access a shared folder it failed with >>>>>> permission denied. Here is the output, I hope this helps to >>>>>> understand the problem: >>>>>> >>>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis >>>>>> /data/studis -o user=klaus,sec=krb5 >>>>>> mount.cifs kernel mount options: >>>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** >>>>>> >>>>>> root at client9:/home/testsamba# getfacl /data/studis/ >>>>>> getfacl: Entferne f?hrende '/' von absoluten Pfadnamen >>>>>> # file: data/studis/ >>>>>> # owner: root >>>>>> # group: root >>>>>> user::rwx >>>>>> user:root:rwx >>>>>> user:klaus:rwx >>>>>> group::r-x >>>>>> group:root:r-x >>>>>> group:rt:rwx >>>>>> group:studis:rwx >>>>>> mask::rwx >>>>>> other::--- >>>>>> default:user::rwx >>>>>> default:user:root:rwx >>>>>> default:user:klaus:rwx >>>>>> default:group::r-x >>>>>> default:group:root:r-x >>>>>> default:group:rt:rwx >>>>>> default:group:studis:rwx >>>>>> default:mask::rwx >>>>>> default:other::--- >>>>>> >>>>>> root at client9:/home/testsamba# su klaus >>>>>> klaus at client9:/home/testsamba$ id >>>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt) >>>>>> klaus at client9:/home/testsamba$ cd /data/studis/ >>>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied) >>>>>> >>>>>> I dont understand, why it is not working. My questions are: >>>>>> Should it work? Is it a bug or is it a problem in configuration? >>>>>> >>>>> >>>>> OK, this appears to be a Unix problem, the user on the client >>>>> cannot 'cd' into another dir, this really has nothing to do with >>>>> cifs. >>>>> >>>>> What does ls -la /data show ? >>>>> >>>>> Rowland >>>>> >>>>> >>>> Hello Rowland, >>>> >>>> while my tests I set up a member server that shares a folder, so I >>>> can login as AD user. At this member server I could access the >>>> folder (local). But if I mount the same folder to another member it >>>> did not work. Thats why I dont think its a Unix problem but maybe I >>>> misunterstood something. >>>> >>>> ls -la says >>>> drwxrwx---+ 2 root root 0 Jan 19 15:59 studis >>>> >>>> >>>> >>>> Norbert >>> >>> OK, it is a bit since I last mounted a dir from one linux machine to >>> another, so I had to refresh my memory by doing it again :-) >>> >>> Here is what I did, (I actually mounted my home dir on my laptop to >>> another machine) >>> >>> The share in smb.conf on my laptop is simply this: >>> >>> [homes] >>> comment = Home Directories >>> browseable = no >>> read only = no >>> >>> I created a new user on the DC: >>> samba-tool user add cifsuser >>> Gave 'cifsuser' a uidNumber and gidNumber >>> >>> Next on the client: >>> >>> Extract and merge a keytab: >>> cd /etc >>> ktutil >>> ktutil: add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e >>> arcfour-hmac >>> Password for cifsuser at EXAMPLE.COM: >>> ktutil: wkt cifs.keytab >>> ktutil: rkt krb5.keytab >>> ktutil: rkt cifs.keytab >>> ktutil: wkt krb5.keytab >>> ktutil: quit >>> >>> Restarted samba & winbind to make sure that everything was correct. >>> >>> Now I had the keytab, I tried to mount my homedir: >>> >>> mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o >>> sec=krb5,username=cifsuser,multiuser >>> >>> root at test2:~# ls -la /mnt >>> total 16388 >>> drwxr-xr-x 49 rowland domain_users 0 Jan 19 18:25 . >>> drwxr-xr-x 24 root root 4096 Jan 22 11:30 .. >>> drwx------ 3 rowland domain_users 0 Aug 12 18:35 .adobe >>> -rw------- 1 rowland domain_users 14416 Jan 22 10:55 .bash_history >>> -rw-r--r-- 1 rowland domain_users 220 Aug 12 16:35 .bash_logout >>> drwx------ 12 rowland domain_users 0 Jan 8 09:31 .cache >>> drwxr-xr-x 23 rowland domain_users 0 Nov 24 09:55 .config >>> drwx------ 3 rowland domain_users 0 Aug 12 16:35 .dbus >>> drwxr-xr-x 4 rowland domain_users 0 Jul 15 2014 dc5 >>> drwxr-xr-x 2 rowland domain_users 0 Aug 12 16:35 Desktop >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> and so on. >>> >>> So it works for me. >>> >>> Rowland >> >> Thank you very much for all your efforts, but I think we talk at >> cross-purposes. What you wrote worked fro me too, but this isn't the >> problem. The question is why extended acls (the "+" sign) only >> working at the server and not at the client that mounts the share >> with cifs. I can ask them with getfacl on both sides, they will be >> showed correctly, but they will be ignored at the client. That's the >> point, it seems that these rights are not transferred to the client. >> >> Norbert >> ** >> >> > > If you connect to a Samba share from a windows client it will honour > any ACL's (the + sign) set on the share because that is what it > expects to find. > > If you login to the computer, the user is now a Unix user and will > ignore the ACL's and use the Unix acl's (rwx) because that is what it > expects to find. > > So as I said: > > WINDOWS USER = ACL > > UNIX USER= acl > > RowlandThanks. So this the default behaviour. Are there any plans to implement the possibility of using ACL's under unix? Because I saw that cifs mount has an option "cifsacl" or is this a totally different feature?