samba - Dec 2019 - Read-only permissions - incorrect user mapping?

CentOS 8
Samba 4.9.1
Client: macOS 10.14

[global]
    workgroup = LOCAL
    log file = /var/log/samba/log.smb
    max log size = 1000
    syslog = 0
    server role = standalone server
    unix password sync = no
    min protocol = SMB2
    ea support = yes
    vfs objects = catia fruit streams_xattr
    fruit:aapl = yes
    readdir_attr:aapl_rsize = yes
    readdir_attr:aapl_finder_info = yes
    readdir_attr:aapl_max_access = yes
    fruit:nfs_aces = yes
    fruit:copyfile = yes
    fruit:metadata = netatalk
    fruit:resource = file
    fruit:locking = none
    fruit:encoding = private
    unix extensions = yes
    spotlight = yes
    smb2 max read = 8388608
    smb2 max write = 8388608
    smb2 max trans = 8388608
    smb2 leases = yes
    aio read size = 1
    aio write size = 1
    kernel oplocks = no
    use sendfile = yes
    strict sync = yes
    sync always = no
    delete veto files = true
    fruit:veto_appledouble = yes
    fruit:posix_rename = yes
    fruit:zero_file_id = yes
    fruit:wipe_intentionally_left_blank_rfork = yes
    fruit:delete_empty_adfiles = yes
    disable netbios = yes
    dns proxy = no
    smb ports = 445

> On 26.12.2019, at 20:19, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 26/12/2019 18:46, Steven Foucault via samba wrote:
>> I have a problem regarding permissions of a SMB share.
>> I created a share for my user ?steven? which has correct unix
permissions (I have read/write access to this folder when I log in to the server
via ?steven?)
>> 
>> drwxr-xr-x   steven root   share
>> 
>> When I export this share with no ?force user? entry in smb.conf I can
access the share only read only.
>> When I use ?force user = steven? it?s the same.
>> When I use ?force user = root? I have read write access to this share.
>> 
>> It looks like the samba user ?steven? (which exists) is not mapped to
the correct unix user. I thought this is the default behaviour.
>> 
>> pdbedit -L
>> steven:1000:steven
>> 
>> id steven
>> uid=1000(steven) gid=1000(steven) groups=1000(steven)
>> 
>> When I add - chmod o+w share - write permissions for ?others? I can
access share read/write via samba.
>> How can I make samba connect the samba user ?steven? to the system user
?steven??
>> 
>> BTW: There?s no SELinux enabled.
>> 
>> Thanks!
>> Steven
>> 
>> 
>> ?
>> [share]
>>     path = /tank
>>     available = yes
>>     browsable = yes
>>     read only = no
>>     writeable = yes
>>     create mask = 0600
>>     directory mask = 0700
>>     public = no
>>     force user = steven
> 
> Sorry, but not enough info ;-)
> 
> What OS ?
> 
> What Samba version ?
> 
> What is in [global] ?
> 
> What are you connecting from ?
> 
> That should be enough to start from.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 26/12/2019 19:28, Steven Foucault wrote:
> CentOS 8
> Samba 4.9.1
> Client: macOS 10.14
>
> [global]
>      workgroup = LOCAL
>      log file = /var/log/samba/log.smb
>      max log size = 1000
>      syslog = 0
>      server role = standalone server
>      #unix password sync = no
>      min protocol = SMB2
>      vfs objects = catia fruit streams_xattr
>      fruit:aapl = yes
>      fruit:copyfile = yes
>      spotlight = yes
>      use sendfile = yes
>      delete veto files = true
>      fruit:wipe_intentionally_left_blank_rfork = yes
>      fruit:delete_empty_adfiles = yes
>      disable netbios = yes
>      dns proxy = no
>      smb ports = 445
>
>
>>> ?
>>> [share]
>>>      path = /tank
>>>      read only = no
>>>      create mask = 0600
>>>      directory mask = 0700
>>>      public = no
>>>      force user = steven
I have removed all the default settings and commented out one line, more 
on this later.

I think you are misunderstanding Samba and users. You are running Samba 
as a standalone server and you need to create users on each Samba 
machine with 'smbpasswd', this user must already exist as a Unix user. 
At the moment, any user known to Samba can connect to the share, but 
only 'Steven' has the write permission. It looks like you are connecting
as a different user (yes, this different user can also be called 
'Steven'), are you passing the workgroup as well ?

When you add 'force user', this is only used after authentication and 
ensures that all files will end up belonging to the 'force user' (Steven
in this case), this can lead to problems. If user 'fred' can connect to 
a share that has 'force user = steven' set and can write to the share, 
with your settings, 'fred' would not be able to read the file he just 
created.

Can I suggest you read 'man smbconf' for more info.

Coming back to the line I commented, as you set it, it a default, but it 
will mean that the Samba users password will not be synced with the Unix 
users password, this can lead to problems if the users actually log into 
the Unix machine Samba is running on.

Rowland

> I think you are misunderstanding Samba and users. You are running Samba as
a standalone server and you need to create users on each Samba machine with
'smbpasswd', this user must already exist as a Unix user. At the moment,
any user known to Samba can connect to the share, but only 'Steven' has
the write permission. It looks like you are connecting as a different user (yes,
this different user can also be called 'Steven'), are you passing the
workgroup as well ?
I created a samba user using "smbpasswd -a steven" with password
?pass1? (the unix user steven has a different password)
You are telling me that when I now log on to the samba server via ?steven? and
?pass1? I am actually _not_ logging in with the user ?steven??
When login succeeds I am assuming that login information is correct and I am
connecting as the user I used as username.
> On 26.12.2019, at 21:31, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 26/12/2019 19:28, Steven Foucault wrote:
>> CentOS 8
>> Samba 4.9.1
>> Client: macOS 10.14
>> 
>> [global]
>>     workgroup = LOCAL
>>     log file = /var/log/samba/log.smb
>>     max log size = 1000
>>     syslog = 0
>>     server role = standalone server
>>     #unix password sync = no
>>     min protocol = SMB2
>>     vfs objects = catia fruit streams_xattr
>>     fruit:aapl = yes
>>     fruit:copyfile = yes
>>     spotlight = yes
>>     use sendfile = yes
>>     delete veto files = true
>>     fruit:wipe_intentionally_left_blank_rfork = yes
>>     fruit:delete_empty_adfiles = yes
>>     disable netbios = yes
>>     dns proxy = no
>>     smb ports = 445
>> 
>> 
>>>> ?
>>>> [share]
>>>>     path = /tank
>>>>     read only = no
>>>>     create mask = 0600
>>>>     directory mask = 0700
>>>>     public = no
>>>>     force user = steven
> 
> I have removed all the default settings and commented out one line, more on
this later.
> 
> I think you are misunderstanding Samba and users. You are running Samba as
a standalone server and you need to create users on each Samba machine with
'smbpasswd', this user must already exist as a Unix user. At the moment,
any user known to Samba can connect to the share, but only 'Steven' has
the write permission. It looks like you are connecting as a different user (yes,
this different user can also be called 'Steven'), are you passing the
workgroup as well ?
> 
> When you add 'force user', this is only used after authentication
and ensures that all files will end up belonging to the 'force user'
(Steven in this case), this can lead to problems. If user 'fred' can
connect to a share that has 'force user = steven' set and can write to
the share, with your settings, 'fred' would not be able to read the file
he just created.
> 
> Can I suggest you read 'man smbconf' for more info.
> 
> Coming back to the line I commented, as you set it, it a default, but it
will mean that the Samba users password will not be synced with the Unix users
password, this can lead to problems if the users actually log into the Unix
machine Samba is running on.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba