Yvan Masson
2019-Aug-12 11:11 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
> So to sum up, setting ACL for the guest user is not enough for Samba, > while it works for other users. It does not depend on which Unix user is > used as guest. > > I just found a very strange workaround: the right needs to be given to > the primary group and not the user. For example, if my guest user is > "nobody", then I would give rights to group "nogroup". I also tested to > use alice as my guest user, and giving rights to group "alice" (not the > user) works. > > Any idea? Should I report an issue?For reference, I reported this issue at https://bugzilla.samba.org/show_bug.cgi?id=14083 Yvan
Rowland penny
2019-Aug-12 12:32 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
On 12/08/2019 12:11, Yvan Masson via samba wrote:>> So to sum up, setting ACL for the guest user is not enough for Samba, >> while it works for other users. It does not depend on which Unix user >> is used as guest. >> >> I just found a very strange workaround: the right needs to be given >> to the primary group and not the user. For example, if my guest user >> is "nobody", then I would give rights to group "nogroup". I also >> tested to use alice as my guest user, and giving rights to group >> "alice" (not the user) works. >> >> Any idea? Should I report an issue? > > For reference, I reported this issue at > https://bugzilla.samba.org/show_bug.cgi?id=14083 > > Yvan >Hi Yvan, Now I have had chance to properly understand what you are trying to do, I am sorry but Louis is correct, this isn't a bug. The first thing to understand is that the guest user on any other computer doesn't really equate to the guest user on the Samba computer. You are mounting the share as the guest user, but this has nothing to do with the permissions on the share. My misunderstanding was that I thought you were connecting to a share using guest access, for this to work, you need 'map to guest = bad user' and 'guest ok = yes in the share. If you are using 'guest ok = yes' on a share, then you shouldn't use authentication on the same share. If you do have 'guest ok = yes' on a share, then if an unknown user tries to connect to the share, before they get to the share they will get mapped to the 'guest user' (usually 'nobody' on Unix), so anything they add to the share will typically belong to 'nobody:nogroup' because that is who is allowed access to the share. So to recap, whilst you can mount a share as the guest user, it isn't recommended, do not use guest access on a share that you also want authenticated users to connect to. Bearing this in mind, I am going to close your bug report. Rowland
Yvan Masson
2019-Aug-12 15:30 UTC
[Samba] Standalone server and POSIX ACL issues (new one)
Le 12/08/2019 ? 14:32, Rowland penny via samba a ?crit?:> On 12/08/2019 12:11, Yvan Masson via samba wrote: >>> So to sum up, setting ACL for the guest user is not enough for Samba, >>> while it works for other users. It does not depend on which Unix user >>> is used as guest. >>> >>> I just found a very strange workaround: the right needs to be given >>> to the primary group and not the user. For example, if my guest user >>> is "nobody", then I would give rights to group "nogroup". I also >>> tested to use alice as my guest user, and giving rights to group >>> "alice" (not the user) works. >>> >>> Any idea? Should I report an issue? >> >> For reference, I reported this issue at >> https://bugzilla.samba.org/show_bug.cgi?id=14083 >> >> Yvan >> > Hi Yvan, > > Now I have had chance to properly understand what you are trying to do, > I am sorry but Louis is correct, this isn't a bug.Many thanks for the teaching efforts, I hope some day I could buy you a drink! :-)> > The first thing to understand is that the guest user on any other > computer doesn't really equate to the guest user on the Samba computer > > You are mounting the share as the guest user, but this has nothing to do > with the permissions on the share. My misunderstanding was that I > thought you were connecting to a share using guest access, for this to > work, you need 'map to guest = bad user' and 'guest ok = yes in the > share. If you are using 'guest ok = yes' on a share, then you shouldn't > use authentication on the same share. > > If you do have 'guest ok = yes' on a share, then if an unknown user > tries to connect to the share, before they get to the share they will > get mapped to the 'guest user' (usually 'nobody' on Unix), so anything > they add to the share will typically belong to 'nobody:nogroup' because > that is who is allowed access to the share. > > So to recap, whilst you can mount a share as the guest user, it isn't > recommended, do not use guest access on a share that you also want > authenticated users to connect to.I am sorry, I suppose that by trying to be clearer, I made my issue less understandable? I try to explain again just to be sure: I want some users (bob and alice for example) to have full access on the share (via authenticated mount), and others to have read-only access (via guest mount). As you understood, I don't want to use Windows ACLs. I made some new tests after Louis's reply on the bug report (see link above), and here is my understanding of what I see: guest account is indeed mapped to the Unix account defined in "guest account" option of smb.conf, BUT its effective rights are equals to the ones of the Unix account AND (logical operator) the ones of "others" in Unix ACL. Am I right? If yes, could this be added to smb.conf manpage for the "guest account" option? Currently it says "Whatever privileges this user has will be available to any client connecting to the guest service.", but it that this is only partially true. Regards, Yvan