Jeremy Allison
2016-Nov-14 23:32 UTC
[Samba] Clients can't write to group-writable files - plea for help
On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:> All, > > Apologies for basically bumping my own thread, but I'm absolutely at > my wits' end trying to figure out this access problem. I've > replicated the issue with and without NFS being involved. On our old > 4.0.25 server, users can write to files that they have group-based > write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not > being honored.Look for an ACCESS_DENIED. Check the token of the smbd issuing that error. We check the Windows ACL against the token before allowing the write.> open_file_ntcreate: fname=logs/foobar, after mapping access_mask=0x20087 > [2016/11/14 11:32:30.009669, 4, pid=9336, effective(2310, 2049), > real(2310, 0)] ../source3/smbd/open.c:2758(open_fi > le_ntcreate) > calling open_file with flags=0x2 flags2=0x0 mode=0744, access_mask > = 0x20087, open_access_mask = 0x20087 > [2016/11/14 11:32:30.009702, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:3558(posix_get_nt_acl) > posix_get_nt_acl: called for file logs/foobar > [2016/11/14 11:32:30.009753, 10, pid=9336, effective(2310, 2049), > real(2310, 0)] ../source3/passdb/lookup_sid.c:1251 > (uid_to_sid) > uid 12477 -> sid S-1-22-1-12477 > [2016/11/14 11:32:30.009784, 10, pid=9336, effective(2310, 2049), > real(2310, 0)] ../source3/passdb/lookup_sid.c:1300 > (gid_to_sid) > gid 9006 -> sid S-1-22-2-9006 > [2016/11/14 11:32:30.009811, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2724(canonicalise_acl) > canonicalise_acl: Access ace entries before arrange : > [2016/11/14 11:32:30.009831, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2737(canonicalise_acl) > canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER > ace_flags = 0x0 perms r-- > [2016/11/14 11:32:30.009858, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2737(canonicalise_acl) > canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 > (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw- > [2016/11/14 11:32:30.009981, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2737(canonicalise_acl) > canon_ace index 2. Type = allow SID = S-1-22-1-12477 uid 12477 > (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw > - > [2016/11/14 11:32:30.010484, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:848(print_canon_ace_list) > print_canon_ace_list: canonicalise_acl: ace entries after arrange > canon_ace index 0. Type = allow SID = S-1-22-1-12477 uid 12477 > (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw > - > canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 > (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw- > canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER > ace_flags = 0x0 perms r-- > > > but I'll admit I'm not sure what I'm looking for. > > On 11/10/16 1:13 PM, Josh Malone via samba wrote: > >Hello, > > > >Really stumped on this issue. I have samba 4.4.7 running on a new > >server. Users cannot write to files to which they have write permissions > >via group. > > > >Example: > > > >Here's the local filesystem on the samba server. I'm logged in as jmalone > > > > > >: jmalone at canis; cd /home/www.nrao.edu/content/logs/ > >: jmalone at canis; ls -l > >total 4 > >-rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz > >-rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar > >: jmalone at canis; touch foobar > > > > > >No problems. Now, let me mount that on my Mac: > > > > > >: jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs > >: jmalone at agrajag; ls -l > >total 2 > >-rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz > >-rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar > >-rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html > >: jmalone at agrajag.cv; touch foobar > >touch: foobar: Permission denied > > > >I can write to 'baz' though. > > > > > -- > -------------------------------------------------------- > Joshua Malone Systems Administrator > (jmalone at nrao.edu) NRAO Charlottesville > 434-296-0263 www.nrao.edu > 434-249-5699 (mobile) > -------------------------------------------------------- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Josh Malone
2016-Nov-15 16:42 UTC
[Samba] Clients can't write to group-writable files - plea for help
On 11/14/16 6:32 PM, Jeremy Allison via samba wrote:> On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote: >> All, >> >> Apologies for basically bumping my own thread, but I'm absolutely at >> my wits' end trying to figure out this access problem. I've >> replicated the issue with and without NFS being involved. On our old >> 4.0.25 server, users can write to files that they have group-based >> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not >> being honored. > > > Look for an ACCESS_DENIED. Check the token of the smbd > issuing that error. We check the Windows ACL against > the token before allowing the write.Thank you for that pointer. So, if I take this line for example: smbd_check_access_rights: file . requesting 0x40 returning 0x40 (NT_STATUS_ACCESS_DENIED) [2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049), real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights) I see that smbd #28398 is the offending process. I'm not sure what the "token" is that I'm looking for. Again - sorry for my lack of familiarity with the internals here. I've *never* had issues like these with Samba before. However, I see this bit: canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-x My interpretation of this is that samba things that the file GID is 0 and that group write is not allowed. This is not at all what the file permissions are though. Am I mis-reading this or is Samba getting permissions some other way. This is a purely Unix filesystem - there should be no NTFS ACLs. Also, the line: [2016/11/14 12:49:21.964411, 5, pid=28398, effective(2310, 2049), real(2310, 0)] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu) How is the real different from the effective on a simple unix file? Thanks again, -Josh -- -------------------------------------------------------- Joshua Malone Systems Administrator (jmalone at nrao.edu) NRAO Charlottesville 434-296-0263 www.nrao.edu 434-249-5699 (mobile) --------------------------------------------------------
Jeremy Allison
2016-Nov-16 00:25 UTC
[Samba] Clients can't write to group-writable files - plea for help
On Tue, Nov 15, 2016 at 11:42:45AM -0500, Josh Malone via samba wrote:> On 11/14/16 6:32 PM, Jeremy Allison via samba wrote: > >On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote: > >>All, > >> > >>Apologies for basically bumping my own thread, but I'm absolutely at > >>my wits' end trying to figure out this access problem. I've > >>replicated the issue with and without NFS being involved. On our old > >>4.0.25 server, users can write to files that they have group-based > >>write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not > >>being honored. > > > > > >Look for an ACCESS_DENIED. Check the token of the smbd > >issuing that error. We check the Windows ACL against > >the token before allowing the write. > > Thank you for that pointer. So, if I take this line for example: > > smbd_check_access_rights: file . requesting 0x40 returning 0x40 > (NT_STATUS_ACCESS_DENIED) > [2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049), > real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights) > > I see that smbd #28398 is the offending process. I'm not sure what > the "token" is that I'm looking for. Again - sorry for my lack of > familiarity with the internals here. I've *never* had issues like > these with Samba before.The token is the list of uids/gids (or SIDs in Windows terms) that this smbd is using to represent the user right now.> However, I see this bit: > > > canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) > SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx > canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) > SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x > canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER > ace_flags = 0x0 perms r-xLooks like a perm set of rwxr-xr-x on the file to me, with owner and group of root.> My interpretation of this is that samba things that the file GID is > 0 and that group write is not allowed. This is not at all what the > file permissions are though. Am I mis-reading this or is Samba > getting permissions some other way. This is a purely Unix filesystem > - there should be no NTFS ACLs.smbd synthesises NT ACLs from the POSIX perms in order to do the access checks. Then it checks the open request using the current process token against the NT ACL to decide whether to allow access.> Also, the line: > > [2016/11/14 12:49:21.964411, 5, pid=28398, effective(2310, 2049), > real(2310, 0)] > ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu) > > How is the real different from the effective on a simple unix file?These come from the current uid/gid of the process - constructed here: ", effective(%u, %u), real(%u, %u)", (unsigned int)geteuid(), (unsigned int)getegid(), (unsigned int)getuid(), (unsigned int)getgid()); Thay line tells you that pid 28398 is currently running with an effective uid of2310, and an effective gid of 2049. They are the values that will be used to check file access.
Reasonably Related Threads
- Clients can't write to group-writable files - plea for help
- Clients can't write to group-writable files - plea for help
- Clients can't write to group-writable files - plea for help
- Clients can't write to group-writable files - plea for help
- Clients can't write to group-writable files - plea for help