samba - Aug 2019 - Standalone server and POSIX ACL issues (new one)

Le 09/08/2019 ? 21:36, Rowland penny via samba a ?crit?:
> On 09/08/2019 20:18, Yvan Masson via samba wrote:
>> Hi list,
>>
>> For testing purpose, I am running a standalone Samba 4.9.5 on Debian 
>> with the following smb.conf:
>>
>> [global]
>> server role = standalone server
>> map to guest = Bad User
>> guest account = nobody
> That is the standard guest account
>>
>> [test]
>> path = /home/yvan/Partage/share
>> guest ok = yes
>> writable = yes
>> inherit acls = yes
>>
>>
>> I want "bob", "alice" and guest user to have full
access to all files
>> in this share, so I made /home/yvan/share with the following ACL:
> 
> No, you don't, all right you do, but you shouldn't ;-)
> 
>  ?Either use authentication for the share, or allow guest access, not both.
Yes I admit this test setup is not very realistic. A valid setup would 
be read/write for authenticated users and read only for guests:
# file: test
# owner: root
# group: root
user::rwx
user:bob:rwx
user:alice:rwx
user:nobody:r-x
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:bob:rwx
default:user:alice:rwx
default:user:nobody:r-x
default:group::---
default:mask::rwx
default:other::---

Unfortunately I have the same problem: guest can mount but not read 
share contents.
> 
>> $ getfacl share
>> # file: share
>> # owner: root
>> # group: root
>> user::rwx
>> user:bob:rwx
>> user:alice:rwx
>> user:nobody:rwx
>> group::r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:bob:rwx
>> default:user:alice:rwx
>> default:user:nobody:rwx
>> default:group::---
>> default:mask::rwx
>> default:other::---
>>
>>
>> I have two issues with this setup that I could not solve after many 
>> hours:
> 
> No, you have one big issue, you are not using the ACLs you have set, 
> well not with Samba anyway, you will need to add:
> 
>  ??? vfs objects = acl_xattr
>  ??? map acl inherit = Yes
> 
> to [global] in smb.conf
> 
Aaaaah wonderful! :-D
Those parameters are not mentioned on "Setting up a Share Using POSIX 
ACLs" page in the wiki: can I add those or do you prefer to do it? (I am 
sure you explanations would be better than mine).

Yvan

On 09/08/2019 21:34, Yvan Masson via samba wrote:
>
>
> Le 09/08/2019 ? 21:36, Rowland penny via samba a ?crit?:
>> On 09/08/2019 20:18, Yvan Masson via samba wrote:
>>> Hi list,
>>>
>>> For testing purpose, I am running a standalone Samba 4.9.5 on
Debian
>>> with the following smb.conf:
>>>
>>> [global]
>>> server role = standalone server
>>> map to guest = Bad User
>>> guest account = nobody
>> That is the standard guest account
>>>
>>> [test]
>>> path = /home/yvan/Partage/share
>>> guest ok = yes
>>> writable = yes
>>> inherit acls = yes
>>>
>>>
>>> I want "bob", "alice" and guest user to have
full access to all
>>> files in this share, so I made /home/yvan/share with the following
ACL:
>>
>> No, you don't, all right you do, but you shouldn't ;-)
>>
>> ??Either use authentication for the share, or allow guest access, not 
>> both.
> Yes I admit this test setup is not very realistic. A valid setup would 
> be read/write for authenticated users and read only for guests:
> # file: test
> # owner: root
> # group: root
> user::rwx
> user:bob:rwx
> user:alice:rwx
> user:nobody:r-x
> group::r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:bob:rwx
> default:user:alice:rwx
> default:user:nobody:r-x
> default:group::---
> default:mask::rwx
> default:other::---
>
> Unfortunately I have the same problem: guest can mount but not read 
> share contents.
>>
>>> $ getfacl share
>>> # file: share
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> user:bob:rwx
>>> user:alice:rwx
>>> user:nobody:rwx
>>> group::r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:bob:rwx
>>> default:user:alice:rwx
>>> default:user:nobody:rwx
>>> default:group::---
>>> default:mask::rwx
>>> default:other::---
>>>
>>>
>>> I have two issues with this setup that I could not solve after many
>>> hours:
>>
>> No, you have one big issue, you are not using the ACLs you have set, 
>> well not with Samba anyway, you will need to add:
>>
>> ???? vfs objects = acl_xattr
>> ???? map acl inherit = Yes
>>
>> to [global] in smb.conf
>>
> Aaaaah wonderful! :-D
> Those parameters are not mentioned on "Setting up a Share Using POSIX 
> ACLs" page in the wiki: can I add those or do you prefer to do it? (I 
> am sure you explanations would be better than mine).
>
> Yvan
I will add something, it is mentioned in the wiki, just not on that page ;-)

Rowland

Le 09/08/2019 ? 22:34, Yvan Masson via samba a ?crit?:
> 
> 
> Le 09/08/2019 ? 21:36, Rowland penny via samba a ?crit?:
>> On 09/08/2019 20:18, Yvan Masson via samba wrote:
>>> Hi list,
>>>
>>> For testing purpose, I am running a standalone Samba 4.9.5 on
Debian
>>> with the following smb.conf:
>>>
>>> [global]
>>> server role = standalone server
>>> map to guest = Bad User
>>> guest account = nobody
>> That is the standard guest account
>>>
>>> [test]
>>> path = /home/yvan/Partage/share
>>> guest ok = yes
>>> writable = yes
>>> inherit acls = yes
>>>
>>>
>>> I want "bob", "alice" and guest user to have
full access to all files
>>> in this share, so I made /home/yvan/share with the following ACL:
>>
>> No, you don't, all right you do, but you shouldn't ;-)
>>
>> ??Either use authentication for the share, or allow guest access, not 
>> both.
> Yes I admit this test setup is not very realistic. A valid setup would 
> be read/write for authenticated users and read only for guests:
> # file: test
> # owner: root
> # group: root
> user::rwx
> user:bob:rwx
> user:alice:rwx
> user:nobody:r-x
> group::r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:bob:rwx
> default:user:alice:rwx
> default:user:nobody:r-x
> default:group::---
> default:mask::rwx
> default:other::---
> 
> Unfortunately I have the same problem: guest can mount but not read 
> share contents.
So to sum up, setting ACL for the guest user is not enough for Samba, 
while it works for other users. It does not depend on which Unix user is 
used as guest.

I just found a very strange workaround: the right needs to be given to 
the primary group and not the user. For example, if my guest user is 
"nobody", then I would give rights to group "nogroup". I
also tested to
use alice as my guest user, and giving rights to group "alice" (not
the
user) works.

Any idea? Should I report an issue?

Yvan

> So to sum up, setting ACL for the guest user is not enough for Samba, 
> while it works for other users. It does not depend on which Unix user is 
> used as guest.
> 
> I just found a very strange workaround: the right needs to be given to 
> the primary group and not the user. For example, if my guest user is 
> "nobody", then I would give rights to group "nogroup".
I also tested to
> use alice as my guest user, and giving rights to group "alice"
(not the
> user) works.
> 
> Any idea? Should I report an issue?
For reference, I reported this issue at 
https://bugzilla.samba.org/show_bug.cgi?id=14083

Yvan