samba - Nov 2021 - chdir_current_service: vfs_ChDir(/srv/samba/users) failed: Permission denied.

On 11/27/21 05:35, Rowland Penny via samba wrote:
> On Sat, 2021-11-27 at 11:09 +0000, spindles seven via samba wrote:
>> On 27 November 2021 10:10 Ralph Boehme wrote:
>>> what about the permission on /, /srv and /srv/samba? The account
>>> needs
>>> at least "x" there.
>>>
>>> -slow
>>>
>> Thanks Ralph.
>>
>> So  "x" was missing on /srv/samba:
>> root at lxd-m1:~# ls -l /srv
>> total 16
>> drwxrwx--- 1 root domain admins 34 Feb 26  2021 samba
>>
>> So add it:
>> root at lxd-m1:~# chmod 771 /srv/samba
>> root at lxd-m1:~# ls -l /srv
>> total 16
>> drwxrwx--x 1 root domain admins 34 Feb 26  2021 samba
>>
>> The samba WiKi doesn't mention adding the "x" at all in
the directory
>> hierarchy as far as I can see;   if so maybe a note needs adding to
>> the relevant page(s)?
> 
> That is because it is standard Unix, 'x' on a directory means
'enter'
> or 'traverse' and if you cannot traverse directories, then you
cannot
> reach the share.
> 

Sure, but Samba, which runs are root, is acting as a middle man in the 
file service, so it's not transparently clear that user execute 
permission in a parent directory is a prerequisite for access; e.g. 
Samba could be treating this like a bind mount or NFS root. In fact, 
based on the way shares are accessed this would be a logical assumption. 
I mount \\server\share, not server:/data/share which is where the files 
actually live in the filesystem hierarchy so why should I care what the 
permissions on /data are?

This is something worth mentioning in a warning note.

>>
>> Have added the "x" to the /srv/samba directory and the logs
haven't
>> recurred (so far!).
>>
>> Not sure I understand why this will work, considering that the line:
>> "acl_xattr:ignore system acl = yes" is in smb.conf?
>>
>> Checking man smb.conf I can't find the description of this
parameter.
>> A search finds mention of "acl)xattr:ignore system acls =
yes" (note
>> the plural of acl) but no actual description of the parameter.
> 
> man vfs_acl_xattr
> 
>>
>> The Wiki suggests adding "acl_xattr:ignore system acl = yes",
but
>> should it be: "acl_xattr:ignore system acls = yes"?
> 
> Yes, I have fixed it.
> 
> Rowland
> 
> 
>

On Sat, 2021-11-27 at 11:27 -0600, Patrick Goetz via samba
wrote:
> 
> On 11/27/21 05:35, Rowland Penny via samba wrote:
> > On Sat, 2021-11-27 at 11:09 +0000, spindles seven via samba wrote:
> > > On 27 November 2021 10:10 Ralph Boehme wrote:
> > > > what about the permission on /, /srv and /srv/samba? The
> > > > account
> > > > needs
> > > > at least "x" there.
> > > > 
> > > > -slow
> > > > 
> > > Thanks Ralph.
> > > 
> > > So  "x" was missing on /srv/samba:
> > > root at lxd-m1:~# ls -l /srv
> > > total 16
> > > drwxrwx--- 1 root domain admins 34 Feb 26  2021 samba
> > > 
> > > So add it:
> > > root at lxd-m1:~# chmod 771 /srv/samba
> > > root at lxd-m1:~# ls -l /srv
> > > total 16
> > > drwxrwx--x 1 root domain admins 34 Feb 26  2021 samba
> > > 
> > > The samba WiKi doesn't mention adding the "x" at
all in the
> > > directory
> > > hierarchy as far as I can see;   if so maybe a note needs adding
> > > to
> > > the relevant page(s)?
> > 
> > That is because it is standard Unix, 'x' on a directory means
> > 'enter'
> > or 'traverse' and if you cannot traverse directories, then you
> > cannot
> > reach the share.
> > 
> 
> Sure, but Samba, which runs are root, is acting as a middle man in
> the 
> file service, so it's not transparently clear that user execute 
> permission in a parent directory is a prerequisite for access; e.g. 
> Samba could be treating this like a bind mount or NFS root. In fact, 
> based on the way shares are accessed this would be a logical
> assumption. 
> I mount \\server\share, not server:/data/share which is where the
> files 
> actually live in the filesystem hierarchy so why should I care what
> the 
> permissions on /data are?
> 
> This is something worth mentioning in a warning note.
Possibly, but the share permissions should be set at creation and as
this is on Linux, you would expect the Linux sysadmin to be aware of
this. The other problem is just where to put such a note/warning ?

Rowland

On 11/27/21 18:27, Patrick Goetz via samba wrote:
> Sure, but Samba, which runs are root, 
smbd does not run as root when executing SMB requests, it impersonates 
the user UNIX token while doing this.


-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20211127/acb347d7/OpenPGP_signature.sig>