samba - Mar 2019 - Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

Hi Jeremy, Hi Steve, Hi Ronnie,
thanks for your replies and the profound discussion.
I think, it's best to demonstrate my problem case along an real world
example:
The following log of a console sesssion shows how I am doing the mounts on
behalf Linux Kernel CIFS-FS Module on the
client side against a Samba 4.5 file server (both running on Debian Stretch 9.8)
via SMB/CIFS resp. SMB2 protocol:

clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o
domain=win,gid=users,username=testuser,vers=1.0
Password for user@//sambaserver/share:
mount.cifs kernel mount options:
ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass
clienthost:~# cat /proc/fs/cifs/DebugData 
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 2.09
Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
Active VFS Requests: 0
Servers:
Number of credits: 50
1) Name: 130.149.125.119  Domain: FAK2 Uses: 1 OS: Windows 6.1
	NOS: Samba 4.5.16-Debian	Capability: 0x8080f3fd
	SMB session status: 1	TCP status: 1
	Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0
	Shares:
	1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f
	PathComponentMax: 255 Status: 1 type: DISK 

	MIDs:
       
clienthost:~# getcifsacl /media/testmount/einstieg.txt 
REVISION:0x1
CONTROL:0x9004
OWNER:S-1-5-21-3646497173-276132624-1362955480-290786
GROUP:S-1-22-2-100
ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW
ACL:S-1-22-2-100:ALLOWED/0x0/RW
ACL:S-1-1-0:ALLOWED/0x0/

clienthost:~# umount /media/testmount 

clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o
domain=win,gid=users,username=testuser,vers=2.0
Password for testuser@//sambaserver/share:
mount.cifs kernel mount options:
ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass
clienthost:~# cat /proc/fs/cifs/DebugData
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 2.09
Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
Active VFS Requests: 0
Servers:
Number of credits: 13
1) entry for 130.149.125.119 not fully displayed
	TCP status: 1
	Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0
	Shares:
	1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f
	PathComponentMax: 255 Status: 1 type: DISK 

	MIDs:

clienthost:~# getcifsacl /media/testmount/einstieg.txt 
getxattr error: 95
REVISION:0x0
CONTROL:0x0

I wonder why I am able to access the Security Identifier of a file on an SMB1
mounted share, but getcifsacl is failing to get the SID
of the same file on the same share with SMB2 mounts? In both cases, availability
of XATTR, ACL and CIFS_POSIX FS capabilities is
shown. Am I missing something essential or is there a lack of implementation?


Best and regards
Sebastian


Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin


Tel.: +49 30 314 22263
Fax: +49 30 314 29309
Email: sebastian.kraus at tu-berlin.de

Could you see if anything useful in the logs indicating why the ACL
was not returned?  Instructions are at:

https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging

(it is easier for newer kernels due to dynamic tracing e.g. "trace-cmd
record -e cifs" but even with these older kernels it should be enough
information in the dmesg logs - if not a wireshark trace could help)

On Thu, Feb 28, 2019 at 10:54 PM Kraus, Sebastian
<sebastian.kraus at tu-berlin.de> wrote:
>
> Hi Jeremy, Hi Steve, Hi Ronnie,
> thanks for your replies and the profound discussion.
> I think, it's best to demonstrate my problem case along an real world
example:
> The following log of a console sesssion shows how I am doing the mounts on
behalf Linux Kernel CIFS-FS Module on the
> client side against a Samba 4.5 file server (both running on Debian Stretch
9.8) via SMB/CIFS resp. SMB2 protocol:
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o
domain=win,gid=users,username=testuser,vers=1.0
> Password for user@//sambaserver/share:
> mount.cifs kernel mount options:
ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features:
DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 50
> 1) Name: 130.149.125.119  Domain: FAK2 Uses: 1 OS: Windows 6.1
>         NOS: Samba 4.5.16-Debian        Capability: 0x8080f3fd
>         SMB session status: 1   TCP status: 1
>         Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0
>         Shares:
>         1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20
Attributes: 0x1006f
>         PathComponentMax: 255 Status: 1 type: DISK
>
>         MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> REVISION:0x1
> CONTROL:0x9004
> OWNER:S-1-5-21-3646497173-276132624-1362955480-290786
> GROUP:S-1-22-2-100
> ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW
> ACL:S-1-22-2-100:ALLOWED/0x0/RW
> ACL:S-1-1-0:ALLOWED/0x0/
>
> clienthost:~# umount /media/testmount
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o
domain=win,gid=users,username=testuser,vers=2.0
> Password for testuser@//sambaserver/share:
> mount.cifs kernel mount options:
ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features:
DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 13
> 1) entry for 130.149.125.119 not fully displayed
>         TCP status: 1
>         Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0
>         Shares:
>         1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f
>         PathComponentMax: 255 Status: 1 type: DISK
>
>         MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> getxattr error: 95
> REVISION:0x0
> CONTROL:0x0
>
> I wonder why I am able to access the Security Identifier of a file on an
SMB1 mounted share, but getcifsacl is failing to get the SID
> of the same file on the same share with SMB2 mounts? In both cases,
availability of XATTR, ACL and CIFS_POSIX FS capabilities is
> shown. Am I missing something essential or is there a lack of
implementation?
>
>
> Best and regards
> Sebastian
>
>
> Sebastian Kraus
> Team IT am Institut für Chemie
> Gebäude C, Straße des 17. Juni 115, Raum C7
>
> Technische Universität Berlin
> Fakultät II
> Institut für Chemie
> Sekretariat C3
> Straße des 17. Juni 135
> 10623 Berlin
>
>
> Tel.: +49 30 314 22263
> Fax: +49 30 314 29309
> Email: sebastian.kraus at tu-berlin.de


-- 
Thanks,

Steve

Hi Steve,
>> Could you see if anything useful in the logs indicating why the ACL was
not returned?
>> Instructions are at:
>>
https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging
Unfortunately not: With maximum debug verbosity 7 for the CIFS Kernel module
stack, the dmesg only
logs an ENOPNOTSUPP error (rc=95, Operation not supported on transport endpoint)
on the socket
while invoking an getcifsacl on a file or folder residing on a mounted Samba
share. No more indicative error
messages are shown up in the respective trace. :-(

BUT, I just tested retrieving the CIFS ACL in the same setup either with
backports Linux Kernel v4.19.16-1~bpo9+1
under Debian Stable (Stretch) and with Kernel v4.19.16-1 under Debian Testing
(Buster) for SMB2/SMB3 protocol and
getcifsacl/setcifsacl works properly on files and folders. So, it seems that
with the older CIFS module version of Linux
Kernel v4.9.30-2+deb9u5 under Debian Stable the CIFS ACL are simply not
implemented/supported with SMB2/SMB3
protocol and an ENOTSUPP is raised consequently.

As I never dealt with CIFS ACL and NTFS/Windows ACL before, I would like to ask
if you know about any good
description/manual on the internet how to properly fiddle around with this type
of rich ACL.


Thanks and best
Sebastian


Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin


Tel.: +49 30 314 22263
Fax: +49 30 314 29309
Email: sebastian.kraus at tu-berlin.de


________________________________________
From: Steve French <smfrench at gmail.com>
Sent: Friday, March 1, 2019 07:17
To: Kraus, Sebastian
Cc: Jeremy Allison; samba at lists.samba.org; ronniesahlberg at gmail.com
Subject: Re: Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

Could you see if anything useful in the logs indicating why the ACL
was not returned?  Instructions are at:

https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging

(it is easier for newer kernels due to dynamic tracing e.g. "trace-cmd
record -e cifs" but even with these older kernels it should be enough
information in the dmesg logs - if not a wireshark trace could help)

On Thu, Feb 28, 2019 at 10:54 PM Kraus, Sebastian
<sebastian.kraus at tu-berlin.de> wrote:
>
> Hi Jeremy, Hi Steve, Hi Ronnie,
> thanks for your replies and the profound discussion.
> I think, it's best to demonstrate my problem case along an real world
example:
> The following log of a console sesssion shows how I am doing the mounts on
behalf Linux Kernel CIFS-FS Module on the
> client side against a Samba 4.5 file server (both running on Debian Stretch
9.8) via SMB/CIFS resp. SMB2 protocol:
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o
domain=win,gid=users,username=testuser,vers=1.0
> Password for user@//sambaserver/share:
> mount.cifs kernel mount options:
ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features:
DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 50
> 1) Name: 130.149.125.119  Domain: FAK2 Uses: 1 OS: Windows 6.1
>         NOS: Samba 4.5.16-Debian        Capability: 0x8080f3fd
>         SMB session status: 1   TCP status: 1
>         Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0
>         Shares:
>         1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20
Attributes: 0x1006f
>         PathComponentMax: 255 Status: 1 type: DISK
>
>         MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> REVISION:0x1
> CONTROL:0x9004
> OWNER:S-1-5-21-3646497173-276132624-1362955480-290786
> GROUP:S-1-22-2-100
> ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW
> ACL:S-1-22-2-100:ALLOWED/0x0/RW
> ACL:S-1-1-0:ALLOWED/0x0/
>
> clienthost:~# umount /media/testmount
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o
domain=win,gid=users,username=testuser,vers=2.0
> Password for testuser@//sambaserver/share:
> mount.cifs kernel mount options:
ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features:
DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 13
> 1) entry for 130.149.125.119 not fully displayed
>         TCP status: 1
>         Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0
>         Shares:
>         1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f
>         PathComponentMax: 255 Status: 1 type: DISK
>
>         MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> getxattr error: 95
> REVISION:0x0
> CONTROL:0x0
>
> I wonder why I am able to access the Security Identifier of a file on an
SMB1 mounted share, but getcifsacl is failing to get the SID
> of the same file on the same share with SMB2 mounts? In both cases,
availability of XATTR, ACL and CIFS_POSIX FS capabilities is
> shown. Am I missing something essential or is there a lack of
implementation?
>
>
> Best and regards
> Sebastian
>
>
> Sebastian Kraus
> Team IT am Institut für Chemie
> Gebäude C, Straße des 17. Juni 115, Raum C7
>
> Technische Universität Berlin
> Fakultät II
> Institut für Chemie
> Sekretariat C3
> Straße des 17. Juni 135
> 10623 Berlin
>
>
> Tel.: +49 30 314 22263
> Fax: +49 30 314 29309
> Email: sebastian.kraus at tu-berlin.de


--
Thanks,

Steve