Hello,
Really stumped on this issue. I have samba 4.4.7 running on a new
server. Users cannot write to files to which they have write permissions
via group.
Example:
Here's the local filesystem on the samba server. I'm logged in as
jmalone
: jmalone at canis; cd /home/www.nrao.edu/content/logs/
: jmalone at canis; ls -l
total 4
-rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz
-rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar
: jmalone at canis; touch foobar
No problems. Now, let me mount that on my Mac:
: jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs
: jmalone at agrajag; ls -l
total 2
-rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz
-rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar
-rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html
: jmalone at agrajag.cv; touch foobar
touch: foobar: Permission denied
I can write to 'baz' though.
Here's the log entries from the failed write attempt:
[2016/11/10 10:01:58.250031, 2] ../source3/smbd/open.c:1025(open_file)
jmalone opened file content/logs/foobar read=No write=No (numopen=4)
[2016/11/10 10:01:58.251220, 2]
../source3/smbd/close.c:793(close_normal_file)
jmalone closed file content/logs/foobar (numopen=3) NT_STATUS_NOT_FOUND
[2016/11/10 10:01:58.252517, 2] ../source3/smbd/open.c:1025(open_file)
jmalone opened file content/logs/foobar read=No write=No (numopen=4)
[2016/11/10 10:01:58.253723, 2]
../source3/smbd/close.c:793(close_normal_file)
jmalone closed file content/logs/foobar (numopen=3) NT_STATUS_NOT_FOUND
The listing is weird over cifs too - not sure if that's the source of
problems or a symptom, or a red herring. I also get the same error on a
Windows smb client. I've tried 4.5.1, 4.4.5, and now 4.3.12 and they all
do the same thing. My old server running 4.0 didn't have this issue.
In case it matters, the filesystem being shared via samba is NFS mounted
to the samba server.
Thanks so much,
-Josh
--
--------------------------------------------------------
Joshua Malone Systems Administrator
(jmalone at nrao.edu) NRAO Charlottesville
434-296-0263 www.nrao.edu
434-249-5699 (mobile)
--------------------------------------------------------
Josh Malone
2016-Nov-14 16:38 UTC
[Samba] Clients can't write to group-writable files - plea for help
All, Apologies for basically bumping my own thread, but I'm absolutely at my wits' end trying to figure out this access problem. I've replicated the issue with and without NFS being involved. On our old 4.0.25 server, users can write to files that they have group-based write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not being honored. I would be incredibly grateful for help debugging this issue. I've gone over level 10 logs and nothing is looking like a smoking gun. Lots of stuff like: open_file_ntcreate: fname=logs/foobar, after mapping access_mask=0x20087 [2016/11/14 11:32:30.009669, 4, pid=9336, effective(2310, 2049), real(2310, 0)] ../source3/smbd/open.c:2758(open_fi le_ntcreate) calling open_file with flags=0x2 flags2=0x0 mode=0744, access_mask = 0x20087, open_access_mask = 0x20087 [2016/11/14 11:32:30.009702, 10, pid=9336, effective(2310, 2049), real(2310, 0), class=acls] ../source3/smbd/posix_a cls.c:3558(posix_get_nt_acl) posix_get_nt_acl: called for file logs/foobar [2016/11/14 11:32:30.009753, 10, pid=9336, effective(2310, 2049), real(2310, 0)] ../source3/passdb/lookup_sid.c:1251 (uid_to_sid) uid 12477 -> sid S-1-22-1-12477 [2016/11/14 11:32:30.009784, 10, pid=9336, effective(2310, 2049), real(2310, 0)] ../source3/passdb/lookup_sid.c:1300 (gid_to_sid) gid 9006 -> sid S-1-22-2-9006 [2016/11/14 11:32:30.009811, 10, pid=9336, effective(2310, 2049), real(2310, 0), class=acls] ../source3/smbd/posix_a cls.c:2724(canonicalise_acl) canonicalise_acl: Access ace entries before arrange : [2016/11/14 11:32:30.009831, 10, pid=9336, effective(2310, 2049), real(2310, 0), class=acls] ../source3/smbd/posix_a cls.c:2737(canonicalise_acl) canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-- [2016/11/14 11:32:30.009858, 10, pid=9336, effective(2310, 2049), real(2310, 0), class=acls] ../source3/smbd/posix_a cls.c:2737(canonicalise_acl) canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw- [2016/11/14 11:32:30.009981, 10, pid=9336, effective(2310, 2049), real(2310, 0), class=acls] ../source3/smbd/posix_a cls.c:2737(canonicalise_acl) canon_ace index 2. Type = allow SID = S-1-22-1-12477 uid 12477 (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw - [2016/11/14 11:32:30.010484, 10, pid=9336, effective(2310, 2049), real(2310, 0), class=acls] ../source3/smbd/posix_a cls.c:848(print_canon_ace_list) print_canon_ace_list: canonicalise_acl: ace entries after arrange canon_ace index 0. Type = allow SID = S-1-22-1-12477 uid 12477 (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw - canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw- canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms r-- but I'll admit I'm not sure what I'm looking for. On 11/10/16 1:13 PM, Josh Malone via samba wrote:> Hello, > > Really stumped on this issue. I have samba 4.4.7 running on a new > server. Users cannot write to files to which they have write permissions > via group. > > Example: > > Here's the local filesystem on the samba server. I'm logged in as jmalone > > > : jmalone at canis; cd /home/www.nrao.edu/content/logs/ > : jmalone at canis; ls -l > total 4 > -rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz > -rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar > : jmalone at canis; touch foobar > > > No problems. Now, let me mount that on my Mac: > > > : jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs > : jmalone at agrajag; ls -l > total 2 > -rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz > -rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar > -rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html > : jmalone at agrajag.cv; touch foobar > touch: foobar: Permission denied > > I can write to 'baz' though. >-- -------------------------------------------------------- Joshua Malone Systems Administrator (jmalone at nrao.edu) NRAO Charlottesville 434-296-0263 www.nrao.edu 434-249-5699 (mobile) --------------------------------------------------------
Jeremy Allison
2016-Nov-14 23:32 UTC
[Samba] Clients can't write to group-writable files - plea for help
On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:> All, > > Apologies for basically bumping my own thread, but I'm absolutely at > my wits' end trying to figure out this access problem. I've > replicated the issue with and without NFS being involved. On our old > 4.0.25 server, users can write to files that they have group-based > write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not > being honored.Look for an ACCESS_DENIED. Check the token of the smbd issuing that error. We check the Windows ACL against the token before allowing the write.> open_file_ntcreate: fname=logs/foobar, after mapping access_mask=0x20087 > [2016/11/14 11:32:30.009669, 4, pid=9336, effective(2310, 2049), > real(2310, 0)] ../source3/smbd/open.c:2758(open_fi > le_ntcreate) > calling open_file with flags=0x2 flags2=0x0 mode=0744, access_mask > = 0x20087, open_access_mask = 0x20087 > [2016/11/14 11:32:30.009702, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:3558(posix_get_nt_acl) > posix_get_nt_acl: called for file logs/foobar > [2016/11/14 11:32:30.009753, 10, pid=9336, effective(2310, 2049), > real(2310, 0)] ../source3/passdb/lookup_sid.c:1251 > (uid_to_sid) > uid 12477 -> sid S-1-22-1-12477 > [2016/11/14 11:32:30.009784, 10, pid=9336, effective(2310, 2049), > real(2310, 0)] ../source3/passdb/lookup_sid.c:1300 > (gid_to_sid) > gid 9006 -> sid S-1-22-2-9006 > [2016/11/14 11:32:30.009811, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2724(canonicalise_acl) > canonicalise_acl: Access ace entries before arrange : > [2016/11/14 11:32:30.009831, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2737(canonicalise_acl) > canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER > ace_flags = 0x0 perms r-- > [2016/11/14 11:32:30.009858, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2737(canonicalise_acl) > canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 > (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw- > [2016/11/14 11:32:30.009981, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:2737(canonicalise_acl) > canon_ace index 2. Type = allow SID = S-1-22-1-12477 uid 12477 > (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw > - > [2016/11/14 11:32:30.010484, 10, pid=9336, effective(2310, 2049), > real(2310, 0), class=acls] ../source3/smbd/posix_a > cls.c:848(print_canon_ace_list) > print_canon_ace_list: canonicalise_acl: ace entries after arrange > canon_ace index 0. Type = allow SID = S-1-22-1-12477 uid 12477 > (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw > - > canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006 > (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw- > canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER > ace_flags = 0x0 perms r-- > > > but I'll admit I'm not sure what I'm looking for. > > On 11/10/16 1:13 PM, Josh Malone via samba wrote: > >Hello, > > > >Really stumped on this issue. I have samba 4.4.7 running on a new > >server. Users cannot write to files to which they have write permissions > >via group. > > > >Example: > > > >Here's the local filesystem on the samba server. I'm logged in as jmalone > > > > > >: jmalone at canis; cd /home/www.nrao.edu/content/logs/ > >: jmalone at canis; ls -l > >total 4 > >-rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz > >-rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar > >: jmalone at canis; touch foobar > > > > > >No problems. Now, let me mount that on my Mac: > > > > > >: jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs > >: jmalone at agrajag; ls -l > >total 2 > >-rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz > >-rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar > >-rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html > >: jmalone at agrajag.cv; touch foobar > >touch: foobar: Permission denied > > > >I can write to 'baz' though. > > > > > -- > -------------------------------------------------------- > Joshua Malone Systems Administrator > (jmalone at nrao.edu) NRAO Charlottesville > 434-296-0263 www.nrao.edu > 434-249-5699 (mobile) > -------------------------------------------------------- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 11/10/16 1:13 PM, Josh Malone wrote:> Hello, > > Really stumped on this issue. I have samba 4.4.7 running on a new > server. Users cannot write to files to which they have write permissions > via group. > > Example: > > Here's the local filesystem on the samba server. I'm logged in as jmalone > > > : jmalone at canis; cd /home/www.nrao.edu/content/logs/ > : jmalone at canis; ls -l > total 4 > -rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz > -rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar > : jmalone at canis; touch foobar > > > No problems. Now, let me mount that on my Mac: > > > : jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs > : jmalone at agrajag; ls -l > total 2 > -rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz > -rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar > -rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html > : jmalone at agrajag.cv; touch foobar > touch: foobar: Permission denied > > I can write to 'baz' though. > > Here's the log entries from the failed write attempt: > > [2016/11/10 10:01:58.250031, 2] ../source3/smbd/open.c:1025(open_file) > jmalone opened file content/logs/foobar read=No write=No (numopen=4) > [2016/11/10 10:01:58.251220, 2] > ../source3/smbd/close.c:793(close_normal_file) > jmalone closed file content/logs/foobar (numopen=3) NT_STATUS_NOT_FOUND > [2016/11/10 10:01:58.252517, 2] ../source3/smbd/open.c:1025(open_file) > jmalone opened file content/logs/foobar read=No write=No (numopen=4) > [2016/11/10 10:01:58.253723, 2] > ../source3/smbd/close.c:793(close_normal_file) > jmalone closed file content/logs/foobar (numopen=3) NT_STATUS_NOT_FOUND > > > The listing is weird over cifs too - not sure if that's the source of > problems or a symptom, or a red herring. I also get the same error on a > Windows smb client. I've tried 4.5.1, 4.4.5, and now 4.3.12 and they all > do the same thing. My old server running 4.0 didn't have this issue. > > In case it matters, the filesystem being shared via samba is NFS mounted > to the samba server. > > Thanks so much, > > -JoshI cannot fix this under RHEL6. I've tried every version of samba back to 4.0. However - I just noticed that this bug DOESN'T occur on samba-gb. What's the difference? I've tried 2 different systems in CV and the bug occurs. GB's smb.conf doesn't look very different from what I'm testing with (colin.cv). What gives, man? -Josh -- -------------------------------------------------------- Joshua Malone Systems Administrator (jmalone at nrao.edu) NRAO Charlottesville 434-296-0263 www.nrao.edu 434-249-5699 (mobile) --------------------------------------------------------
Apologies - this was meant for an internal list :( #include <embarrassment.h>> However - I just noticed that this bug DOESN'T occur on samba-gb. What's > the difference? I've tried 2 different systems in CV and the bug occurs. > GB's smb.conf doesn't look very different from what I'm testing with > (colin.cv). > > What gives, man? > > -Josh >-- -------------------------------------------------------- Joshua Malone Systems Administrator (jmalone at nrao.edu) NRAO Charlottesville 434-296-0263 www.nrao.edu 434-249-5699 (mobile) --------------------------------------------------------
Reasonably Related Threads
- Clients can't write to group-writable files
- Clients can't write to group-writable files - plea for help
- Clients can't write to group-writable files - plea for help
- Clients can't write to group-writable files - plea for help
- Clients can't write to group-writable files - plea for help