samba - Jul 2019 - Standalone server and POSIX ACL issue

Le 10/07/2019 ? 08:46, Rowland penny via samba a ?crit?:
> On 09/07/2019 22:49, Yvan Masson wrote:
>> Le 09/07/2019 ? 21:16, Rowland penny via samba a ?crit?:
>>> On 09/07/2019 20:06, Yvan Masson via samba wrote:
>>>> Hi,
>>>>
>>>> First, thanks for all people that continuously giving great
advice
>>>> on this list!
>>>>
>>>> I am setting up a standalone server (Debian 10, Samba
4.9.5+dfsg-5
>>>> from Debian). The following directory is shared and contains
two
>>>> directories:
>>>> /home/eleve/partage/
>>>> ??? Documents
>>>> ??? Travail
>>>>
>>>> I want user "eleve" to be able to modify everything,
and guest users
>>>> to have read access on "Documents/" and write access
on "Travail/".
>>>> Everything works as expected when accessing files locally, but
not
>>>> when mounting the share from a Linux client:
>>>> - when logged in as guest, I can read everything but have no
write
>>>> access in "Travail/"
>>>> - when logged in as "eleve", I can not write inside
"Documents/"
>>> You would be better off setting up two shares
>>>>
>>>> I suppose I am missing something simple, but can not find what
(I
>>>> have read 
>>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs).
>>> I know that page refers to a standalone server, but it is mostly 
>>> aimed at AD domain members, though the basics should work on a 
>>> standalone server.
>>>
>>> Rowland
>>>
>> Thanks for the advice. I have read 
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
>> which gave me the solution: I had forgot to add "eleve" user
to the
>> smbpasswd database. It would need more testing, but it seems I have a 
>> working setup with two shares and no POSIX ACL.
>>
>> I suppose I already know the answer, but is there a way to login with 
>> Samba without having a smbpasswd file?
>>
>> Regards,
>> Yvan
> 
> Yes, it is known as setting up an AD domain and then accounts are stored 
> in AD ;-)
> 
> Otherwise if you really mean 'can I connect to a Samba share on a Samba
> standalone server without an account', then yes, you can. you will need
> 'map to guest = bad user' in [global] and 'guest ok = yes'
in the shares
> (note, you cannot use 'valid users' etc in the shares), with these 
> settings and no users, anybody can connect to the shares and they will 
> be mapped to the guest user (usually 'nobody'). This is very
insecure.
> 
> Rowland
OK thanks. However I still want to clarify what is wrong with my 
original setup, where "Partage" directory is shared on a standalone 
Samba 4.9.5 server:
/home/yvan/Partage/
??? Consultation/
??? Echange/

Connecting with local user "yvan" (added to smbpasswd file this time),
works properly: I have write access in "Consultation/" and
"Echange/".

Connecting as a guest user (mapped to user "nobody") works partially:
I have read access in "Consultation/" and "Echange/", but I
would like
to have write access in "Echange/". For example, this does not work
(the
share is mounted as guest via gvfs):
$ LANG=C touch 
/run/user/1000/gvfs/smb-share\:server\=e7440.local\,share\=partage/Echange/test
touch: cannot touch 
'/run/user/1000/gvfs/smb-share:server=e7440.local,share=partage/Echange/test':
Permission denied

However, everything works properly when accessing files locally. This works:
$ sudo -u nobody touch /home/yvan/Partage/Echange/test

So I guess I have an issue with guest access in my Samba configuration.

$cat /etc/samba/smb.conf:
[global]
workgroup = AYN
log file = /var/log/samba/log.%m
logging = file syslog at 1
server role = standalone server
map to guest = Bad User
guest account = nobody
[Partage]
path = /home/yvan/Partage
guest ok = yes
writable = yes
inherit acls = yes

$ getfacl Partage/*
# file: Partage/Consultation
# owner: yvan
# group: yvan
user::rwx
user:yvan:rwx
user:nobody:r-x
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:yvan:rwx
default:user:nobody:r-x
default:group::r-x
default:mask::rwx
default:other::r-x

# file: Partage/Echange
# owner: yvan
# group: yvan
user::rwx
user:yvan:rwx
user:nobody:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:yvan:rwx
default:user:nobody:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Any help would be appreciated :-)

Yvan

On 10/07/2019 10:37, Yvan Masson via samba wrote:
>
> OK thanks. However I still want to clarify what is wrong with my 
> original setup, where "Partage" directory is shared on a
standalone
> Samba 4.9.5 server:
> /home/yvan/Partage/
> ??? Consultation/
> ??? Echange/
I repeat, set up two separate shares, this has come up before and this 
is the fix.

Rowland

Le 10/07/2019 ? 12:33, Rowland penny via samba a ?crit?:
> On 10/07/2019 10:37, Yvan Masson via samba wrote:
>>
>> OK thanks. However I still want to clarify what is wrong with my 
>> original setup, where "Partage" directory is shared on a
standalone
>> Samba 4.9.5 server:
>> /home/yvan/Partage/
>> ??? Consultation/
>> ??? Echange/
> 
> I repeat, set up two separate shares, this has come up before and this 
> is the fix.
> 
> Rowland
> 
Sorry I am not sure to understand: is it only an advice or is my
configuration impossible? In the latter case, why wouldn't this be
possible? (I believe it is possible using a Windows srver, at least when
there is no guest user involved)
Thanks,
Yvan