samba - Jul 2019 - Standalone server and POSIX ACL issue

Hi,

First, thanks for all people that continuously giving great advice on 
this list!

I am setting up a standalone server (Debian 10, Samba 4.9.5+dfsg-5 from 
Debian). The following directory is shared and contains two directories:
/home/eleve/partage/
??? Documents
??? Travail

I want user "eleve" to be able to modify everything, and guest users
to
have read access on "Documents/" and write access on
"Travail/".
Everything works as expected when accessing files locally, but not when 
mounting the share from a Linux client:
- when logged in as guest, I can read everything but have no write 
access in "Travail/"
- when logged in as "eleve", I can not write inside
"Documents/"

I suppose I am missing something simple, but can not find what (I have 
read https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs).

$ getfacl partage/*
# file: partage/Documents
# owner: eleve
# group: eleve
user::rwx
user:eleve:rwx
user:nobody:r-x
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:eleve:rwx
default:user:nobody:r-x
default:group::r-x
default:mask::rwx
default:other::r-x

# file: partage/Travail
# owner: eleve
# group: eleve
user::rwx
user:eleve:rwx
user:nobody:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:eleve:rwx
default:user:nobody:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

And here is my smb.conf:

[global]
workgroup = AYN
log file = /var/log/samba/log.%m
logging = file syslog at 1
server role = standalone server
map to guest = Bad User
guest account = nobody
vfs objects = acl_xattr

[Documents]
path = /home/eleve/partage
guest ok = yes
writable = yes
inherit acls = yes

Thanks,
Yvan

On 09/07/2019 20:06, Yvan Masson via samba wrote:
> Hi,
>
> First, thanks for all people that continuously giving great advice on 
> this list!
>
> I am setting up a standalone server (Debian 10, Samba 4.9.5+dfsg-5 
> from Debian). The following directory is shared and contains two 
> directories:
> /home/eleve/partage/
> ??? Documents
> ??? Travail
>
> I want user "eleve" to be able to modify everything, and guest
users
> to have read access on "Documents/" and write access on
"Travail/".
> Everything works as expected when accessing files locally, but not 
> when mounting the share from a Linux client:
> - when logged in as guest, I can read everything but have no write 
> access in "Travail/"
> - when logged in as "eleve", I can not write inside
"Documents/"
You would be better off setting up two shares
>
> I suppose I am missing something simple, but can not find what (I have 
> read 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs).
I know that page refers to a standalone server, but it is mostly aimed 
at AD domain members, though the basics should work on a standalone server.

Rowland

On 09/07/2019 22:49, Yvan Masson wrote:
> Le 09/07/2019 ? 21:16, Rowland penny via samba a ?crit?:
>> On 09/07/2019 20:06, Yvan Masson via samba wrote:
>>> Hi,
>>>
>>> First, thanks for all people that continuously giving great advice 
>>> on this list!
>>>
>>> I am setting up a standalone server (Debian 10, Samba 4.9.5+dfsg-5 
>>> from Debian). The following directory is shared and contains two 
>>> directories:
>>> /home/eleve/partage/
>>> ??? Documents
>>> ??? Travail
>>>
>>> I want user "eleve" to be able to modify everything, and
guest users
>>> to have read access on "Documents/" and write access on
"Travail/".
>>> Everything works as expected when accessing files locally, but not 
>>> when mounting the share from a Linux client:
>>> - when logged in as guest, I can read everything but have no write 
>>> access in "Travail/"
>>> - when logged in as "eleve", I can not write inside
"Documents/"
>> You would be better off setting up two shares
>>>
>>> I suppose I am missing something simple, but can not find what (I 
>>> have read 
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs).
>> I know that page refers to a standalone server, but it is mostly 
>> aimed at AD domain members, though the basics should work on a 
>> standalone server.
>>
>> Rowland
>>
> Thanks for the advice. I have read 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
> which gave me the solution: I had forgot to add "eleve" user to
the
> smbpasswd database. It would need more testing, but it seems I have a 
> working setup with two shares and no POSIX ACL.
>
> I suppose I already know the answer, but is there a way to login with 
> Samba without having a smbpasswd file?
>
> Regards,
> Yvan
Yes, it is known as setting up an AD domain and then accounts are stored 
in AD ;-)

Otherwise if you really mean 'can I connect to a Samba share on a Samba 
standalone server without an account', then yes, you can. you will need 
'map to guest = bad user' in [global] and 'guest ok = yes' in
the shares
(note, you cannot use 'valid users' etc in the shares), with these 
settings and no users, anybody can connect to the shares and they will 
be mapped to the guest user (usually 'nobody'). This is very insecure.

Rowland

Le 10/07/2019 ? 08:46, Rowland penny via samba a ?crit?:
> On 09/07/2019 22:49, Yvan Masson wrote:
>> Le 09/07/2019 ? 21:16, Rowland penny via samba a ?crit?:
>>> On 09/07/2019 20:06, Yvan Masson via samba wrote:
>>>> Hi,
>>>>
>>>> First, thanks for all people that continuously giving great
advice
>>>> on this list!
>>>>
>>>> I am setting up a standalone server (Debian 10, Samba
4.9.5+dfsg-5
>>>> from Debian). The following directory is shared and contains
two
>>>> directories:
>>>> /home/eleve/partage/
>>>> ??? Documents
>>>> ??? Travail
>>>>
>>>> I want user "eleve" to be able to modify everything,
and guest users
>>>> to have read access on "Documents/" and write access
on "Travail/".
>>>> Everything works as expected when accessing files locally, but
not
>>>> when mounting the share from a Linux client:
>>>> - when logged in as guest, I can read everything but have no
write
>>>> access in "Travail/"
>>>> - when logged in as "eleve", I can not write inside
"Documents/"
>>> You would be better off setting up two shares
>>>>
>>>> I suppose I am missing something simple, but can not find what
(I
>>>> have read 
>>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs).
>>> I know that page refers to a standalone server, but it is mostly 
>>> aimed at AD domain members, though the basics should work on a 
>>> standalone server.
>>>
>>> Rowland
>>>
>> Thanks for the advice. I have read 
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
>> which gave me the solution: I had forgot to add "eleve" user
to the
>> smbpasswd database. It would need more testing, but it seems I have a 
>> working setup with two shares and no POSIX ACL.
>>
>> I suppose I already know the answer, but is there a way to login with 
>> Samba without having a smbpasswd file?
>>
>> Regards,
>> Yvan
> 
> Yes, it is known as setting up an AD domain and then accounts are stored 
> in AD ;-)
> 
> Otherwise if you really mean 'can I connect to a Samba share on a Samba
> standalone server without an account', then yes, you can. you will need
> 'map to guest = bad user' in [global] and 'guest ok = yes'
in the shares
> (note, you cannot use 'valid users' etc in the shares), with these 
> settings and no users, anybody can connect to the shares and they will 
> be mapped to the guest user (usually 'nobody'). This is very
insecure.
> 
> Rowland
OK thanks. However I still want to clarify what is wrong with my 
original setup, where "Partage" directory is shared on a standalone 
Samba 4.9.5 server:
/home/yvan/Partage/
??? Consultation/
??? Echange/

Connecting with local user "yvan" (added to smbpasswd file this time),
works properly: I have write access in "Consultation/" and
"Echange/".

Connecting as a guest user (mapped to user "nobody") works partially:
I have read access in "Consultation/" and "Echange/", but I
would like
to have write access in "Echange/". For example, this does not work
(the
share is mounted as guest via gvfs):
$ LANG=C touch 
/run/user/1000/gvfs/smb-share\:server\=e7440.local\,share\=partage/Echange/test
touch: cannot touch 
'/run/user/1000/gvfs/smb-share:server=e7440.local,share=partage/Echange/test':
Permission denied

However, everything works properly when accessing files locally. This works:
$ sudo -u nobody touch /home/yvan/Partage/Echange/test

So I guess I have an issue with guest access in my Samba configuration.

$cat /etc/samba/smb.conf:
[global]
workgroup = AYN
log file = /var/log/samba/log.%m
logging = file syslog at 1
server role = standalone server
map to guest = Bad User
guest account = nobody
[Partage]
path = /home/yvan/Partage
guest ok = yes
writable = yes
inherit acls = yes

$ getfacl Partage/*
# file: Partage/Consultation
# owner: yvan
# group: yvan
user::rwx
user:yvan:rwx
user:nobody:r-x
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:yvan:rwx
default:user:nobody:r-x
default:group::r-x
default:mask::rwx
default:other::r-x

# file: Partage/Echange
# owner: yvan
# group: yvan
user::rwx
user:yvan:rwx
user:nobody:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:yvan:rwx
default:user:nobody:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Any help would be appreciated :-)

Yvan