Walker, Jason M (JSC-CD42)[Leidos Innovations Corporation]
2018-Feb-14 15:43 UTC
[Samba] Samba 4.6.4 and Excel 2016 access denied if no Group mode permission
>What are you actually using for authentication ?We are using Quest Authentication Services (formerly Vintela Authentication Services), which is a Kerberos/LDAP/Active Directory client for UNIX & Linux. Authentication and Identity Mapping appears to work correctly, I can log on and see my uid/gid/correct groups list with SSH and group-based access for files and directories appears to work correctly through Samba. The only thing that doesn't seem to work right is that if _only_ my user account/file owner has full control to the directory and the file, and my primary groups has no access, Excel 2016 cannot save edits to files through Samba. Looking at level-5 Samba logs I appear to get an access denied on setting attributes to the new temporary file Excel is creating when I open the original [2018/02/12 10:27:10.682913, 2] ../source3/smbd/trans2.c:6276(smb_set_file_dosmode) smb_set_file_dosmode: file_set_dosmode of ~$test.xlsx failed (Permission denied) [2018/02/12 10:27:10.682965, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_setinfo.c:132 and Samba seems to be mapping my account correctly [2018/02/12 10:27:10.715181, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (11): SID[ 0]: S-1-22-1-129046054 SID[ 1]: S-1-22-2-513 SID[ 2]: S-1-22-2-487583 SID[ 3]: S-1-22-2-487495 SID[ 4]: S-1-22-2-383830 SID[ 5]: S-1-22-2-385132 SID[ 6]: S-1-22-2-345596 SID[ 7]: S-1-22-2-383825 SID[ 8]: S-1-1-0 SID[ 9]: S-1-5-2 SID[ 10]: S-1-5-11 Privileges (0x 0): Rights (0x 0): [2018/02/12 10:27:10.715449, 5] ../source3/auth/token_util.c:640(debug_unix_user_token) UNIX token of user 129046054 Primary group is 513 and contains 7 supplementary groups Group[ 0]: 513 Group[ 1]: 487583 Group[ 2]: 487495 Group[ 3]: 383830 Group[ 4]: 385132 Group[ 5]: 345596 Group[ 6]: 383825 And just after that I appear to be granted an oplock on the original file [2018/02/12 10:27:10.858168, 5] ../source3/smbd/dosmode.c:287(get_ea_dos_attribute) get_ea_dos_attribute: Cannot get attribute from EA on file test.xlsx: Error = Unformatted or incompatible media [2018/02/12 10:27:10.858225, 4] ../source3/smbd/open.c:3262(open_file_ntcreate) calling open_file with flags=0x0 flags2=0x0 mode=0744, access_mask = 0x80, open_access_mask = 0x80 [2018/02/12 10:27:10.858353, 2] ../source3/smbd/open.c:1351(open_file) jwalker5 opened file test.xlsx read=No write=No (numopen=6) [2018/02/12 10:27:10.858406, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order) check lock order 1 for /smb_ms1/samba/locks/locking.tdb [2018/02/12 10:27:10.858492, 5] ../source3/smbd/oplock.c:86(set_file_oplock) set_file_oplock: granted oplock on file test.xlsx, a0007:5040:0/1990308393, tv_sec = 5a81c05e, tv_usec = d16cb [2018/02/12 10:27:10.858583, 5] ../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor) release lock order 1 for /smb_ms1/samba/locks/locking.tdb Still a little later I see errors retrieving ea_dos_attributes during what looks like a directory listing (I suspect this is because the underlying AIX filesystem doesn't support the EA attributes, and I'm not sure that I care) [2018/02/12 10:27:10.929561, 5] ../source3/smbd/dosmode.c:287(get_ea_dos_attribute) get_ea_dos_attribute: Cannot get attribute from EA on file test.xlsx: Error = Unformatted or incompatible media [2018/02/12 10:27:10.929635, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode_from_sbuf returning (0x20): "a" [2018/02/12 10:27:10.929687, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x20): "a" [2018/02/12 10:27:10.929757, 3] ../source3/smbd/dir.c:1227(smbd_dirptr_get_entry) smbd_dirptr_get_entry mask=[*] found test.xlsx fname=test.xlsx (test.xlsx) [2018/02/12 10:27:10.929837, 5] ../source3/smbd/dosmode.c:287(get_ea_dos_attribute) get_ea_dos_attribute: Cannot get attribute from EA on file ~$test.xlsx: Error = Unformatted or incompatible media And then, reading the directory again, I can see these access masks but not sure how to understand them [2018/02/12 10:27:11.223176, 5] ../source3/smbd/open.c:3946(open_directory) open_directory: opening directory ., access_mask = 0x80, share_access = 0x7 create_options = 0x200000, create_disposition = 0x1, file_attributes = 0x10
Rowland Penny
2018-Feb-14 16:24 UTC
[Samba] Samba 4.6.4 and Excel 2016 access denied if no Group mode permission
On Wed, 14 Feb 2018 15:43:38 +0000 "Walker, Jason M (JSC-CD42)[Leidos Innovations Corporation]" <jason.m.walker at nasa.gov> wrote:> >What are you actually using for authentication ? > > We are using Quest Authentication Services (formerly Vintela > Authentication Services), which is a Kerberos/LDAP/Active Directory > client for UNIX & Linux. Authentication and Identity Mapping appears > to work correctly, I can log on and see my uid/gid/correct groups > list with SSH and group-based access for files and directories > appears to work correctly through Samba. >If you are not using winbind then your problem very probably lies with the Quest product, can I suggest you ask them if this is causing your problem. Rowland
Apparently Analagous Threads
- access denied with "hide dot files = Yes"
- vfs_shadow_copy2 woes / WITH logs
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- get_ea_dos_attribute: Cannot get attribute from EA on file .: Error = No data available