On 11/19/21 5:18 PM, Rowland Penny via samba wrote:> On Fri, 2021-11-19 at 16:44 -0500, Ken Bass via samba wrote: >> I am in some unfamiliar territory here and trying to troubleshoot why >> I >> am getting access denied. Maybe someone can provide some pointers or >> suggestions. >> >> I am sharing via a samba share. >> >> If the file is created on Windows, I see the following: >> >> icacls test.txt >> >> test.txt Everyone: >> MYDOM\user:(I)(F) >> MYDOM\Group:(I)(F) >> >> Under Linux the file permissions show as: >> '-rwxrw----' > Is that exactly what 'ls 'la' produces ? Could there be a '+' on the > end ? > As show, the user would have full permissions and the group would have > read and write permissions, all others would have no permissions. > > Depending on how you have set up Samba, you may be using extended ACL's > and attrs, but without further info, this is hard to say. > > Could you post the output from 'testparm -s' from the Samba server and > the full output of 'ls -la test.txt' > > Rowland > > >Hi Rowland, On the SERVER side: -rwxrwx---+ 1 user testshare users 16 Nov 19 16:11 test.txt On the CLIENT side, where this share is mounted via cifs in /etc/fstab -rwxrw---- 1 user testshare users 16 Nov 19 16:11 test.txt And reproducing the issue - on the CLIENT side /usr/bin/getcifsacl test.txt REVISION:0x1 CONTROL:0x8004 OWNER:MYDOM\user GROUP:MYDOM\Testshare Users ACL:MYDOM\user:ALLOWED/0x0/FULL ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL ACL:\Everyone:ALLOWED/0x0/ And after running chmod u-x test.txt -rw-rw---- 1 user testshare users 16 Nov 19 16:12 test.txt /usr/bin/getcifsacl test.txt REVISION:0x1 CONTROL:0x8004 OWNER:MYDOM\user GROUP:MYDOM\Testshare Users ACL:MYDOM\user:DENIED/0x0/0xd0130 ACL:MYDOM\user:ALLOWED/0x0/0x1f01df ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL ACL:\Everyone:ALLOWED/0x0/0x40 Notice after running the chmod to remove the user exec permission, the DENIED ACL is added. That DENIED ACL does not just remove 'execution', but as I originally posted: test.txt MYDOM\user:(DENY)(D,WDAC,WO,WEA,X,WA) ???????? MYDOM\user:(R,W,D,WDAC,WO,DC) ???????? MYDOM\Testshare Users:(F) ???????? Everyone:(DC) it appears to also remove WEA - Write extended attributes, WA - Write attributes, WO - Write owner. My guess is that is why trying to write to test.txt from Windows after the chmod results in Access Denied. That DENY clause prevents Windows from doing that. # Global parameters [global] ??? disable spoolss = Yes ??? guest account = guestuser ??? interfaces = lo 192.168.2.0/24 ??? kerberos method = secrets and keytab ??? load printers = No ??? log file = /var/log/samba/%m.log ??? map to guest = Bad User ??? printcap name = /dev/null ??? realm = MYDOM.LOCAL.NET ??? security = ADS ??? server string = myserver ??? template homedir = /home/%U ??? template shell = /bin/bash ??? username map = /etc/samba/user.map ??? winbind enum groups = Yes ??? winbind enum users = Yes ??? winbind refresh tickets = Yes ??? winbind use default domain = Yes ??? workgroup = MYDOM ??? idmap config mydom : unix_primary_group = yes ??? idmap config mydom : range = 1000-29999 ??? idmap config mydom : schema_mode = rfc2307 ??? idmap config mydom : backend = ad ??? idmap config * : range = 30000-39999 ??? idmap config * : backend = tdb ??? cups options = raw ??? hosts allow = 127. 192.168.2. ??? map acl inherit = Yes ??? printing = bsd ??? strict allocate = Yes ??? vfs objects = acl_xattr [TestShare] ??? comment = TestShare ??? create mask = 0770 ??? directory mask = 0770 ??? force create mode = 0770 ??? force directory mode = 0770 ??? force group = "TestShare Users" ??? path = /mnt/store/TestShare ??? read only = No
On Fri, 2021-11-19 at 19:00 -0500, Ken Bass via samba wrote:> > > > > > > Hi Rowland, > > On the SERVER side: > > -rwxrwx---+ 1 user testshare users 16 Nov 19 16:11 test.txtYes, you are using ACL's, note the '+' at the end of the Unix permissions. What does 'getfacl test.txt' produce ?> > On the CLIENT side, where this share is mounted via cifs in > /etc/fstab > > -rwxrw---- 1 user testshare users 16 Nov 19 16:11 test.txtHowever, the cifs mounted share doesn't seem to be using using ACL's> > And reproducing the issue - on the CLIENT side > > /usr/bin/getcifsacl test.txt > REVISION:0x1 > CONTROL:0x8004 > OWNER:MYDOM\user > GROUP:MYDOM\Testshare Users > ACL:MYDOM\user:ALLOWED/0x0/FULL > ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL > ACL:\Everyone:ALLOWED/0x0/ > > And after running > > chmod u-x test.txtI wouldn't recommend running chmod against anything that has an ACL set on it, it will probably remove or change the ACL.> > -rw-rw---- 1 user testshare users 16 Nov 19 16:12 test.txt > > /usr/bin/getcifsacl test.txt > REVISION:0x1 > CONTROL:0x8004 > OWNER:MYDOM\user > GROUP:MYDOM\Testshare Users > ACL:MYDOM\user:DENIED/0x0/0xd0130 > ACL:MYDOM\user:ALLOWED/0x0/0x1f01df > ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL > ACL:\Everyone:ALLOWED/0x0/0x40 > > Notice after running the chmod to remove the user exec permission, > the > DENIED ACL is added. > > That DENIED ACL does not just remove 'execution', but as I > originally > posted: > > test.txt MYDOM\user:(DENY)(D,WDAC,WO,WEA,X,WA) > MYDOM\user:(R,W,D,WDAC,WO,DC) > MYDOM\Testshare Users:(F) > Everyone:(DC) > > it appears to also remove WEA - Write extended attributes, WA - > Write > attributes, WO - Write owner. > > My guess is that is why trying to write to test.txt from Windows > after > the chmod results in Access Denied. That DENY clause prevents > Windows > from doing that.Your problem appears to be that you are trying to fix your problem an hammer.> > # Global parameters > [global] > disable spoolss = Yes > guest account = guestuser > interfaces = lo 192.168.2.0/24 > kerberos method = secrets and keytab > load printers = No > log file = /var/log/samba/%m.log > map to guest = Bad User > printcap name = /dev/null > realm = MYDOM.LOCAL.NET > security = ADS > server string = myserver > template homedir = /home/%U > template shell = /bin/bash > username map = /etc/samba/user.mapWhat exactly is in the 'user.map' ?> winbind enum groups = Yes > winbind enum users = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = MYDOM > idmap config mydom : unix_primary_group = yes > idmap config mydom : range = 1000-29999I suppose you realise that using that range means you cannot have any local Unix users.> idmap config mydom : schema_mode = rfc2307 > idmap config mydom : backend = ad > idmap config * : range = 30000-39999 > idmap config * : backend = tdb > cups options = raw > hosts allow = 127. 192.168.2. > map acl inherit = Yes > printing = bsd > strict allocate = Yes > vfs objects = acl_xattr > > [TestShare] > comment = TestShare > create mask = 0770 > directory mask = 0770 > force create mode = 0770 > force directory mode = 0770 > force group = "TestShare Users" > path = /mnt/store/TestShare > read only = NoI suggest you change the share to this: [TestShare] comment = TestShare path = /mnt/store/TestShare read only = No Then set the permissions from windows and only windows. Try reading: man mount.cifs https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
Am 20.11.21 um 01:00 schrieb Ken Bass via samba:> chmod u-x test.txtNEVER EVER use chmod on a file or directory with ACLs. You are NOT changing permission you only change the mask. The mask is showing which permissions can have user/group/other as maximum. Only use setfacl to change permissions. -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html