samba - Nov 2016 - Clients can't write to group-writable files - plea for help

On Wed, Nov 16, 2016 at 03:25:24PM -0500, Josh Malone
wrote:
> On 11/16/16 3:17 PM, Jeremy Allison wrote:
> >On Wed, Nov 16, 2016 at 03:12:06PM -0500, Josh Malone via samba wrote:
> >>On 11/16/16 2:32 PM, Jeremy Allison via samba wrote:
> >>>>
> >>>>But the file is not root:root - it's owned by uid 12477
and group
> >>>>9006. Why is Samba getting the wrong owner/group for this
file?
> >>>
> >>>That is the core of your problem. What does the full debug
level 10
> >>>log say around this message ?
> >>>
> >>
> >>Nothing that I can see.
> >
> >That is not a helpful response to a request for debug info.
> >
> >Just sayin' :-) :-).
> >
> 
> No, it's not. Apologies.
> 
> http://www.cv.nrao.edu/~jmalone/sambalog.txt
Looking at that log I see:

posix_get_nt_acl: called for file .

  canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ
ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags =
0x0 perms r-x

So it's the top-level directory of the share
/data/test

that is root.root rwxr-xr-x

Can you check that ?

The open request fails with:

 smbd_check_access_rights: file . requesting 0x40 returning 0x40
(NT_STATUS_ACCESS_DENIED)

0x40 is SEC_DIR_DELETE_CHILD, which is seeing if a file in that
directory can be deleted. As you're not root, that open fails
(you don't have 'w' access).

Hope this helps.

On 11/17/16 2:17 PM, Jeremy Allison wrote:
> On Wed, Nov 16, 2016 at 03:25:24PM -0500, Josh Malone wrote:
>>
>> http://www.cv.nrao.edu/~jmalone/sambalog.txt
>
> Looking at that log I see:
>
> posix_get_nt_acl: called for file .
>
>   canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>   canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
>   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
>
> So it's the top-level directory of the share
> /data/test
>
> that is root.root rwxr-xr-x
>
> Can you check that ?
Nope - that directory is uid 2310, group 9004. I'm in group 9004. How 
can samba be getting that wrong?

> The open request fails with:
>
>  smbd_check_access_rights: file . requesting 0x40 returning 0x40
(NT_STATUS_ACCESS_DENIED)
>
> 0x40 is SEC_DIR_DELETE_CHILD, which is seeing if a file in that
> directory can be deleted. As you're not root, that open fails
> (you don't have 'w' access).
>
> Hope this helps.
Okay - I understand how to read the logs a bit better now. Still baffled 
at samba not getting file acls correct though.

-Josh

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------

On Thu, Nov 17, 2016 at 02:32:12PM -0500, Josh Malone
wrote:
> On 11/17/16 2:17 PM, Jeremy Allison wrote:
> >On Wed, Nov 16, 2016 at 03:25:24PM -0500, Josh Malone wrote:
> 
> >>
> >>http://www.cv.nrao.edu/~jmalone/sambalog.txt
> >
> >Looking at that log I see:
> >
> >posix_get_nt_acl: called for file .
> >
> >  canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
> >  canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
> >  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
> >
> >So it's the top-level directory of the share
> >/data/test
> >
> >that is root.root rwxr-xr-x
> >
> >Can you check that ?
> 
> Nope - that directory is uid 2310, group 9004. I'm in group 9004.
> How can samba be getting that wrong?
Don't know - there wasn't enough of the log to tell. However,
that's what the POSIX ACL code was returning for the file
owner/group.