Kraus, Sebastian
2019-Mar-01 04:54 UTC
[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
Hi Jeremy, Hi Steve, Hi Ronnie, thanks for your replies and the profound discussion. I think, it's best to demonstrate my problem case along an real world example: The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol: clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=1.0 Password for user@//sambaserver/share: mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass clienthost:~# cat /proc/fs/cifs/DebugData Display Internal CIFS Data Structures for Debugging --------------------------------------------------- CIFS Version 2.09 Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL Active VFS Requests: 0 Servers: Number of credits: 50 1) Name: 130.149.125.119 Domain: FAK2 Uses: 1 OS: Windows 6.1 NOS: Samba 4.5.16-Debian Capability: 0x8080f3fd SMB session status: 1 TCP status: 1 Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0 Shares: 1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f PathComponentMax: 255 Status: 1 type: DISK MIDs: clienthost:~# getcifsacl /media/testmount/einstieg.txt REVISION:0x1 CONTROL:0x9004 OWNER:S-1-5-21-3646497173-276132624-1362955480-290786 GROUP:S-1-22-2-100 ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW ACL:S-1-22-2-100:ALLOWED/0x0/RW ACL:S-1-1-0:ALLOWED/0x0/ clienthost:~# umount /media/testmount clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=2.0 Password for testuser@//sambaserver/share: mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass clienthost:~# cat /proc/fs/cifs/DebugData Display Internal CIFS Data Structures for Debugging --------------------------------------------------- CIFS Version 2.09 Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL Active VFS Requests: 0 Servers: Number of credits: 13 1) entry for 130.149.125.119 not fully displayed TCP status: 1 Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0 Shares: 1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f PathComponentMax: 255 Status: 1 type: DISK MIDs: clienthost:~# getcifsacl /media/testmount/einstieg.txt getxattr error: 95 REVISION:0x0 CONTROL:0x0 I wonder why I am able to access the Security Identifier of a file on an SMB1 mounted share, but getcifsacl is failing to get the SID of the same file on the same share with SMB2 mounts? In both cases, availability of XATTR, ACL and CIFS_POSIX FS capabilities is shown. Am I missing something essential or is there a lack of implementation? Best and regards Sebastian Sebastian Kraus Team IT am Institut für Chemie Gebäude C, Straße des 17. Juni 115, Raum C7 Technische Universität Berlin Fakultät II Institut für Chemie Sekretariat C3 Straße des 17. Juni 135 10623 Berlin Tel.: +49 30 314 22263 Fax: +49 30 314 29309 Email: sebastian.kraus at tu-berlin.de
Steve French
2019-Mar-01 06:17 UTC
[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
Could you see if anything useful in the logs indicating why the ACL was not returned? Instructions are at: https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging (it is easier for newer kernels due to dynamic tracing e.g. "trace-cmd record -e cifs" but even with these older kernels it should be enough information in the dmesg logs - if not a wireshark trace could help) On Thu, Feb 28, 2019 at 10:54 PM Kraus, Sebastian <sebastian.kraus at tu-berlin.de> wrote:> > Hi Jeremy, Hi Steve, Hi Ronnie, > thanks for your replies and the profound discussion. > I think, it's best to demonstrate my problem case along an real world example: > The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the > client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol: > > clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=1.0 > Password for user@//sambaserver/share: > mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass> > clienthost:~# cat /proc/fs/cifs/DebugData > Display Internal CIFS Data Structures for Debugging > --------------------------------------------------- > CIFS Version 2.09 > Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL > Active VFS Requests: 0 > Servers: > Number of credits: 50 > 1) Name: 130.149.125.119 Domain: FAK2 Uses: 1 OS: Windows 6.1 > NOS: Samba 4.5.16-Debian Capability: 0x8080f3fd > SMB session status: 1 TCP status: 1 > Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0 > Shares: > 1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f > PathComponentMax: 255 Status: 1 type: DISK > > MIDs: > > clienthost:~# getcifsacl /media/testmount/einstieg.txt > REVISION:0x1 > CONTROL:0x9004 > OWNER:S-1-5-21-3646497173-276132624-1362955480-290786 > GROUP:S-1-22-2-100 > ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW > ACL:S-1-22-2-100:ALLOWED/0x0/RW > ACL:S-1-1-0:ALLOWED/0x0/ > > clienthost:~# umount /media/testmount > > clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=2.0 > Password for testuser@//sambaserver/share: > mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass> > clienthost:~# cat /proc/fs/cifs/DebugData > Display Internal CIFS Data Structures for Debugging > --------------------------------------------------- > CIFS Version 2.09 > Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL > Active VFS Requests: 0 > Servers: > Number of credits: 13 > 1) entry for 130.149.125.119 not fully displayed > TCP status: 1 > Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0 > Shares: > 1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f > PathComponentMax: 255 Status: 1 type: DISK > > MIDs: > > clienthost:~# getcifsacl /media/testmount/einstieg.txt > getxattr error: 95 > REVISION:0x0 > CONTROL:0x0 > > I wonder why I am able to access the Security Identifier of a file on an SMB1 mounted share, but getcifsacl is failing to get the SID > of the same file on the same share with SMB2 mounts? In both cases, availability of XATTR, ACL and CIFS_POSIX FS capabilities is > shown. Am I missing something essential or is there a lack of implementation? > > > Best and regards > Sebastian > > > Sebastian Kraus > Team IT am Institut für Chemie > Gebäude C, Straße des 17. Juni 115, Raum C7 > > Technische Universität Berlin > Fakultät II > Institut für Chemie > Sekretariat C3 > Straße des 17. Juni 135 > 10623 Berlin > > > Tel.: +49 30 314 22263 > Fax: +49 30 314 29309 > Email: sebastian.kraus at tu-berlin.de-- Thanks, Steve
Kraus, Sebastian
2019-Mar-02 16:14 UTC
[Samba] Using CIFS ACL with SMB2/SMB3 Mounts on Linux Clients
Hi Steve,>> Could you see if anything useful in the logs indicating why the ACL was not returned? >> Instructions are at: >> https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_DebuggingUnfortunately not: With maximum debug verbosity 7 for the CIFS Kernel module stack, the dmesg only logs an ENOPNOTSUPP error (rc=95, Operation not supported on transport endpoint) on the socket while invoking an getcifsacl on a file or folder residing on a mounted Samba share. No more indicative error messages are shown up in the respective trace. :-( BUT, I just tested retrieving the CIFS ACL in the same setup either with backports Linux Kernel v4.19.16-1~bpo9+1 under Debian Stable (Stretch) and with Kernel v4.19.16-1 under Debian Testing (Buster) for SMB2/SMB3 protocol and getcifsacl/setcifsacl works properly on files and folders. So, it seems that with the older CIFS module version of Linux Kernel v4.9.30-2+deb9u5 under Debian Stable the CIFS ACL are simply not implemented/supported with SMB2/SMB3 protocol and an ENOTSUPP is raised consequently. As I never dealt with CIFS ACL and NTFS/Windows ACL before, I would like to ask if you know about any good description/manual on the internet how to properly fiddle around with this type of rich ACL. Thanks and best Sebastian Sebastian Kraus Team IT am Institut für Chemie Gebäude C, Straße des 17. Juni 115, Raum C7 Technische Universität Berlin Fakultät II Institut für Chemie Sekretariat C3 Straße des 17. Juni 135 10623 Berlin Tel.: +49 30 314 22263 Fax: +49 30 314 29309 Email: sebastian.kraus at tu-berlin.de ________________________________________ From: Steve French <smfrench at gmail.com> Sent: Friday, March 1, 2019 07:17 To: Kraus, Sebastian Cc: Jeremy Allison; samba at lists.samba.org; ronniesahlberg at gmail.com Subject: Re: Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients Could you see if anything useful in the logs indicating why the ACL was not returned? Instructions are at: https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging (it is easier for newer kernels due to dynamic tracing e.g. "trace-cmd record -e cifs" but even with these older kernels it should be enough information in the dmesg logs - if not a wireshark trace could help) On Thu, Feb 28, 2019 at 10:54 PM Kraus, Sebastian <sebastian.kraus at tu-berlin.de> wrote:> > Hi Jeremy, Hi Steve, Hi Ronnie, > thanks for your replies and the profound discussion. > I think, it's best to demonstrate my problem case along an real world example: > The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the > client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol: > > clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=1.0 > Password for user@//sambaserver/share: > mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass> > clienthost:~# cat /proc/fs/cifs/DebugData > Display Internal CIFS Data Structures for Debugging > --------------------------------------------------- > CIFS Version 2.09 > Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL > Active VFS Requests: 0 > Servers: > Number of credits: 50 > 1) Name: 130.149.125.119 Domain: FAK2 Uses: 1 OS: Windows 6.1 > NOS: Samba 4.5.16-Debian Capability: 0x8080f3fd > SMB session status: 1 TCP status: 1 > Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0 > Shares: > 1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f > PathComponentMax: 255 Status: 1 type: DISK > > MIDs: > > clienthost:~# getcifsacl /media/testmount/einstieg.txt > REVISION:0x1 > CONTROL:0x9004 > OWNER:S-1-5-21-3646497173-276132624-1362955480-290786 > GROUP:S-1-22-2-100 > ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW > ACL:S-1-22-2-100:ALLOWED/0x0/RW > ACL:S-1-1-0:ALLOWED/0x0/ > > clienthost:~# umount /media/testmount > > clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=2.0 > Password for testuser@//sambaserver/share: > mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass> > clienthost:~# cat /proc/fs/cifs/DebugData > Display Internal CIFS Data Structures for Debugging > --------------------------------------------------- > CIFS Version 2.09 > Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL > Active VFS Requests: 0 > Servers: > Number of credits: 13 > 1) entry for 130.149.125.119 not fully displayed > TCP status: 1 > Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0 > Shares: > 1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f > PathComponentMax: 255 Status: 1 type: DISK > > MIDs: > > clienthost:~# getcifsacl /media/testmount/einstieg.txt > getxattr error: 95 > REVISION:0x0 > CONTROL:0x0 > > I wonder why I am able to access the Security Identifier of a file on an SMB1 mounted share, but getcifsacl is failing to get the SID > of the same file on the same share with SMB2 mounts? In both cases, availability of XATTR, ACL and CIFS_POSIX FS capabilities is > shown. Am I missing something essential or is there a lack of implementation? > > > Best and regards > Sebastian > > > Sebastian Kraus > Team IT am Institut für Chemie > Gebäude C, Straße des 17. Juni 115, Raum C7 > > Technische Universität Berlin > Fakultät II > Institut für Chemie > Sekretariat C3 > Straße des 17. Juni 135 > 10623 Berlin > > > Tel.: +49 30 314 22263 > Fax: +49 30 314 29309 > Email: sebastian.kraus at tu-berlin.de-- Thanks, Steve
Maybe Matching Threads
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
- Problem with lowercase Computernames in winbind samba 3.0.8
- getcifsacl does not work with CIFS mount versions 2 or 3
- NFS Selinux issues