samba - Nov 2016 - Clients can't write to group-writable files - plea for help

On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba
wrote:
> All,
> 
> Apologies for basically bumping my own thread, but I'm absolutely at
> my wits' end trying to figure out this access problem. I've
> replicated the issue with and without NFS being involved. On our old
> 4.0.25 server, users can write to files that they have group-based
> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
> being honored.

Look for an ACCESS_DENIED. Check the token of the smbd
issuing that error. We check the Windows ACL against
the token before allowing the write.

>   open_file_ntcreate: fname=logs/foobar, after mapping access_mask=0x20087
> [2016/11/14 11:32:30.009669,  4, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/smbd/open.c:2758(open_fi
> le_ntcreate)
>   calling open_file with flags=0x2 flags2=0x0 mode=0744, access_mask
> = 0x20087, open_access_mask = 0x20087
> [2016/11/14 11:32:30.009702, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:3558(posix_get_nt_acl)
>   posix_get_nt_acl: called for file logs/foobar
> [2016/11/14 11:32:30.009753, 10, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/passdb/lookup_sid.c:1251
> (uid_to_sid)
>   uid 12477 -> sid S-1-22-1-12477
> [2016/11/14 11:32:30.009784, 10, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/passdb/lookup_sid.c:1300
> (gid_to_sid)
>   gid 9006 -> sid S-1-22-2-9006
> [2016/11/14 11:32:30.009811, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2724(canonicalise_acl)
>   canonicalise_acl: Access ace entries before arrange :
> [2016/11/14 11:32:30.009831, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
>   canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r--
> [2016/11/14 11:32:30.009858, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
>   canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006
> (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
> [2016/11/14 11:32:30.009981, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
>   canon_ace index 2. Type = allow SID = S-1-22-1-12477 uid 12477
> (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
> -
> [2016/11/14 11:32:30.010484, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:848(print_canon_ace_list)
>   print_canon_ace_list: canonicalise_acl: ace entries after arrange
>   canon_ace index 0. Type = allow SID = S-1-22-1-12477 uid 12477
> (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
> -
>   canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006
> (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
>   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r--
> 
> 
> but I'll admit I'm not sure what I'm looking for.
> 
> On 11/10/16 1:13 PM, Josh Malone via samba wrote:
> >Hello,
> >
> >Really stumped on this issue. I have samba 4.4.7 running on a new
> >server. Users cannot write to files to which they have write
permissions
> >via group.
> >
> >Example:
> >
> >Here's the local filesystem on the samba server. I'm logged in
as jmalone
> >
> >
> >: jmalone at canis; cd /home/www.nrao.edu/content/logs/
> >: jmalone at canis; ls -l
> >total 4
> >-rw-rw-r-- 1 jmalone         nraoweb  0 Nov 10 10:02 baz
> >-rw-rw-r-- 1 pmurphy         cvweb    0 Nov 10 11:09 foobar
> >: jmalone at canis; touch foobar
> >
> >
> >No problems. Now, let me mount that on my Mac:
> >
> >
> >: jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs
> >: jmalone at agrajag; ls -l
> >total 2
> >-rwx------  1 jmalone  nraocv   0 Nov 10 10:02 baz
> >-rwx------  1 jmalone  nraocv   0 Nov 10 11:09 foobar
> >-rwx------  1 jmalone  nraocv  44 Nov 13  2006 index.html
> >: jmalone at agrajag.cv; touch foobar
> >touch: foobar: Permission denied
> >
> >I can write to 'baz' though.
> >
> 
> 
> -- 
> --------------------------------------------------------
>        Joshua Malone       Systems Administrator
>      (jmalone at nrao.edu)    NRAO Charlottesville
>         434-296-0263           www.nrao.edu
> 	434-249-5699 (mobile)
> --------------------------------------------------------
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 11/14/16 6:32 PM, Jeremy Allison via samba wrote:
> On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
>> All,
>>
>> Apologies for basically bumping my own thread, but I'm absolutely
at
>> my wits' end trying to figure out this access problem. I've
>> replicated the issue with and without NFS being involved. On our old
>> 4.0.25 server, users can write to files that they have group-based
>> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
>> being honored.
>
>
> Look for an ACCESS_DENIED. Check the token of the smbd
> issuing that error. We check the Windows ACL against
> the token before allowing the write.
Thank you for that pointer. So, if I take this line for example:

   smbd_check_access_rights: file . requesting 0x40 returning 0x40 
(NT_STATUS_ACCESS_DENIED)
[2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049), 
real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights)

I see that smbd #28398 is the offending process. I'm not sure what the 
"token" is that I'm looking for. Again - sorry for my lack of 
familiarity with the internals here. I've *never* had issues like these 
with Samba before.

However, I see this bit:


   canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) 
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
   canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) 
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
ace_flags = 0x0 perms r-x


My interpretation of this is that samba things that the file GID is 0 
and that group write is not allowed. This is not at all what the file 
permissions are though. Am I mis-reading this or is Samba getting 
permissions some other way. This is a purely Unix filesystem - there 
should be no NTFS ACLs.

Also, the line:

[2016/11/14 12:49:21.964411,  5, pid=28398, effective(2310, 2049), 
real(2310, 0)] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)

How is the real different from the effective on a simple unix file?


Thanks again,

-Josh

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------

On Tue, Nov 15, 2016 at 11:42:45AM -0500, Josh Malone via samba
wrote:
> On 11/14/16 6:32 PM, Jeremy Allison via samba wrote:
> >On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
> >>All,
> >>
> >>Apologies for basically bumping my own thread, but I'm
absolutely at
> >>my wits' end trying to figure out this access problem. I've
> >>replicated the issue with and without NFS being involved. On our
old
> >>4.0.25 server, users can write to files that they have group-based
> >>write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is
not
> >>being honored.
> >
> >
> >Look for an ACCESS_DENIED. Check the token of the smbd
> >issuing that error. We check the Windows ACL against
> >the token before allowing the write.
> 
> Thank you for that pointer. So, if I take this line for example:
> 
>   smbd_check_access_rights: file . requesting 0x40 returning 0x40
> (NT_STATUS_ACCESS_DENIED)
> [2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049),
> real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights)
> 
> I see that smbd #28398 is the offending process. I'm not sure what
> the "token" is that I'm looking for. Again - sorry for my
lack of
> familiarity with the internals here. I've *never* had issues like
> these with Samba before.
The token is the list of uids/gids (or SIDs in Windows terms)
that this smbd is using to represent the user right now.
> However, I see this bit:
> 
> 
>   canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
> SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>   canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
> SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
>   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r-x
Looks like a perm set of rwxr-xr-x on the file to me, with
owner and group of root.
> My interpretation of this is that samba things that the file GID is
> 0 and that group write is not allowed. This is not at all what the
> file permissions are though. Am I mis-reading this or is Samba
> getting permissions some other way. This is a purely Unix filesystem
> - there should be no NTFS ACLs.
smbd synthesises NT ACLs from the POSIX perms in order to do
the access checks. Then it checks the open request using the
current process token against the NT ACL to decide whether to
allow access.
> Also, the line:
> 
> [2016/11/14 12:49:21.964411,  5, pid=28398, effective(2310, 2049),
> real(2310, 0)]
> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
> 
> How is the real different from the effective on a simple unix file?
These come from the current uid/gid of the process - constructed
here:

                        ", effective(%u, %u), real(%u, %u)",
                        (unsigned int)geteuid(), (unsigned int)getegid(),
                        (unsigned int)getuid(), (unsigned int)getgid());

Thay line tells you that pid 28398 is currently running with
an effective uid of2310, and an effective gid of 2049.

They are the values that will be used to check file access.