David Cournapeau
2018-Jun-14 01:48 UTC
[Samba] Weird permissions issues with samba shares and XFS
Hi,
We are trying to deploy samba sharing on Centos 7.4, linked to windows 2016
AD for authentication.
We are having an issue related to permissions where different directories
with seemingly the exact same permissions cannot all be accessed from
smbclient. I was hoping somebody could help me figuring this out.
We have the following structure:
1. one LVM2 volume on /dev/storage/test (XFS) mounted as /storage/test
2. inside /storage/test, we have 2 directories /storage/test/foo and
/storage/test/bar
I created three entries in our server's smb.conf:
[test]
path = /storage/test
comment = Sharing root of XFS
[test-foo]
path = /storage/test/foo
comment = Sharing foo
[test-bar]
path = /storage/test/bar
comment = Sharing bar
I can list all 3 shared with `smbclient -L //localhost`, as expected. Now
for the issues I cannot figure out:
1. doing `ls` in `smbclient //localhost/test`, I get
"NT_STATUS_ACCESS_DENIED listing \*"
2. doing `ls` in `smbclient //localhost/test-foo` works
3. doing `ls` in `smbclient //localhost/test-bar` gives me
"NT_STATUS_ACCESS_DENIED
listing \*" as well
But:
$ ls -l /storage/test/
drwxrwxr-x+ 2 root domain_admins 6 Jun 14 10:37 bar
drwxrwxr-x+ 2 root domain_admins 6 Jun 14 10:37 foo
$ getfactl /storage/test/bar
# file: storage/test/bar/
# owner: root
# group: domain_admins
user::rwx
user:supachots:rwx
group::r-x
group:domain_users:r-x
mask::rwx
other::r-x
$ getfacl /storage/test/foo/
# file: storage/test/foo
# owner: root
# group: domain_admins
user::rwx
user:supachots:rwx
group::r-x
group:domain_users:r-x
mask::rwx
other::r-x
If instead of doing `mkdir foo` + setting up ACL/permissions, I simply `cp
-a bar foo`, then foo is accessible. So it looks as if something besides
ACL/Unix permissions is at play, but I don't know what it is.
I am running stock samba from CENTOS 7.4, that is `smbd -V` gives me 4.7.1.
thank you,
David
--
*ダビド・クルナポ*
David Cournapeau, PhD
シニアリサーチエンジニア
*株式会社Cogent Labs*
〒150-0034 東京都渋谷区代官山町
20-23 TENOHA LAB
Tel: 03 6773 1836 <0367731836>
*Direct: 070 3123 1394 <07031231394>*
dcournapeau at cogent.co.jp
*www.cogent.co.jp <https://www.cogent.co.jp>*
L.P.H. van Belle
2018-Jun-14 07:56 UTC
[Samba] Weird permissions issues with samba shares and XFS
Read this : SHARE Permissions: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs See : Setting Share Permissions and ACLs Click Start, enter Computer Management, and start the application. Select Action / Connect to another computer. Enter the name of the Samba host and click OK to connect the console to the host. Open the System Tools / Shared Folders / Shares menu entry. Folder permissions: Use explorer, browse to a folder, goto the security tab. Your problem is the "SHARE" permission. By default the SHARE permission is everybody Full controll Thats ok, now everybody is able to read/write.. But only if the FOLDER permissions allow it. My guess.. /storage/test does not have the correct persmissions Share permissiong allow to write but Folder permissions not. And cp... cp -a --preserve=xattr wil help imo. Below i bit more> -----Oorspronkelijk bericht----- > I created three entries in our server's smb.conf: > > [test] > path = /storage/test > comment = Sharing root of XFS > [test-foo] > path = /storage/test/foo > comment = Sharing foo > [test-bar] > path = /storage/test/bar > comment = Sharing bar > > I can list all 3 shared with `smbclient -L //localhost`, as > expected. Now > for the issues I cannot figure out: > > 1. doing `ls` in `smbclient //localhost/test`, I get > "NT_STATUS_ACCESS_DENIED listing \*"Yes, but which user is runing the command?> ls -l /storage/test/ > drwxrwxr-x+ 2 root domain_admins 6 Jun 14 10:37 bar > drwxrwxr-x+ 2 root domain_admins 6 Jun 14 10:37 fooYou missed ls -l /storage What are the rights on /storage/test ? Greetz, Louis
David Cournapeau
2018-Jun-14 10:27 UTC
[Samba] Weird permissions issues with samba shares and XFS
Hi Louis, Thanks for answering. On Thu, Jun 14, 2018 at 4:56 PM, L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Read this : > > SHARE Permissions: > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > See : Setting Share Permissions and ACLs > Click Start, enter Computer Management, and start the application. > Select Action / Connect to another computer. > Enter the name of the Samba host and click OK to connect the console to > the host. > Open the System Tools / Shared Folders / Shares menu entry. > > Folder permissions: > Use explorer, browse to a folder, goto the security tab. > > Your problem is the "SHARE" permission. > > By default the SHARE permission is everybody Full controll > Thats ok, now everybody is able to read/write.. > But only if the FOLDER permissions allow it. >So right now, I am not so concerned about the exact permissions as much as understanding why something cannot be accessed at all (in particular just listing directory content).> My guess.. > /storage/test does not have the correct persmissions > Share permissiong allow to write but Folder permissions not. > > And cp... > > cp -a --preserve=xattr wil help imo. >Thanks, I was not aware of this option, though here `cp -a` was actually enough to get access (while adjusting unix + acl manually to match did not work).> Below i bit more > > > -----Oorspronkelijk bericht----- > > I created three entries in our server's smb.conf: > > > > [test] > > path = /storage/test > > comment = Sharing root of XFS > > [test-foo] > > path = /storage/test/foo > > comment = Sharing foo > > [test-bar] > > path = /storage/test/bar > > comment = Sharing bar > > > > I can list all 3 shared with `smbclient -L //localhost`, as > > expected. Now > > for the issues I cannot figure out: > > > > 1. doing `ls` in `smbclient //localhost/test`, I get > > "NT_STATUS_ACCESS_DENIED listing \*" > > Yes, but which user is runing the command? >Here every folder has at least r and x for others, so it should not matter in this case, right ? But just in case, the user is `dcournapeau` and: $ groups dcournapeau domain_users research_engineering vpn_access ml_engineering server_admins cglnas01_ssh_access global_ssh_access cglnas01_admins backup_admins lastpass_sync-exempt prtg_monitor_access ml_assignment hwr_data My number one issue is the different behavior for 2 directories that seem to have exactly the same permissions.> ls -l /storage/test/ > > drwxrwxr-x+ 2 root domain_admins 6 Jun 14 10:37 bar > > drwxrwxr-x+ 2 root domain_admins 6 Jun 14 10:37 foo > > You missed ls -l /storage > What are the rights on /storage/test ?Indeed: $ ls -l /storage/ drwxrwxr-x. 4 root domain_admins 28 Jun 14 10:37 test Thank you for your help, David>Greetz,> > Louis > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *ダビド・クルナポ* David Cournapeau, PhD シニアリサーチエンジニア *株式会社Cogent Labs* 〒150-0034 東京都渋谷区代官山町 20-23 TENOHA LAB Tel: 03 6773 1836 <0367731836> *Direct: 070 3123 1394 <07031231394>* dcournapeau at cogent.co.jp *www.cogent.co.jp <https://www.cogent.co.jp>*