[Samba] group permissions broken after upgrade 3.2.5 -> 3.4.8: deleting of files denied

Marc Schiffbauer marc at schiffbauer.net
Mon Jun 14 03:59:31 MDT 2010 

This is part of the log with log level = 10:

Here you can see that the "open for delete" is being denied, but why?
(If I do "chmod o+w ." in the dir, deletion of files is permitted...)

Group "domusr" (1006) has rwx permission on the directory which is the primary 
group of the users and which is mapped to the "Domain Users" group as well.

user1 (1001) is the owner of the parent dir (".")
user2 (1010) is the owner of the file "Neu Textdokument.txt"
domusr (1006) is the group of both, "." and the file
user2 wants to delete the file

perms of "." is 0770
perms of the file is 0660




---------------------------------------------------------------------------------------


[2010/06/14 11:43:21,  4] smbd/uid.c:256(change_to_user)
  change_to_user: Skipping user change - already user
[2010/06/14 11:43:21, 10] smbd/nttrans.c:484(reply_ntcreate_and_X)
  reply_ntcreate_and_X: flags = 0x10, access_mask = 0x10080 file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x200040 root_dir_fid = 0x0, fname = Temp/Neu Textdokument.txt
[2010/06/14 11:43:21, 10] smbd/open.c:3365(create_file_default)
  create_file: access_mask = 0x10080 file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x200040 oplock_request = 0x0 root_dir_fid = 0x0, ea_list = 0x(nil), sd = 0x(nil), create_file_flags = 0x1, fname = Temp/Neu Textdokument.txt
[2010/06/14 11:43:21,  5] smbd/filename.c:148(unix_convert)
  unix_convert called on file "Temp/Neu Textdokument.txt"
[2010/06/14 11:43:21, 10] smbd/statcache.c:274(stat_cache_lookup)
  stat_cache_lookup: lookup succeeded for name [TEMP/NEU TEXTDOKUMENT.TXT] -> [Temp/Neu Textdokument.txt]
[2010/06/14 11:43:21,  3] smbd/vfs.c:865(check_reduced_name)
  reduce_name [Temp/Neu Textdokument.txt] [/home/userdata]
[2010/06/14 11:43:21, 10] smbd/vfs.c:937(check_reduced_name)
  reduce_name realpath [Temp/Neu Textdokument.txt] -> [/home/userdata/Temp/Neu Textdokument.txt]

                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                         This is the file I want to delete.


[2010/06/14 11:43:21,  3] smbd/vfs.c:974(check_reduced_name)
  reduce_name: Temp/Neu Textdokument.txt reduced to /home/userdata/Temp/Neu Textdokument.txt
[2010/06/14 11:43:21, 10] smbd/open.c:2896(create_file_unixpath)
  create_file_unixpath: access_mask = 0x10080 file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x200040 oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname = Temp/Neu Textdokument.txt
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
  posix_get_nt_acl: called for file Temp
[2010/06/14 11:43:21, 10] lib/gencache.c:208(gencache_get)
  Returning valid cache entry: key = IDMAP/UID2SID/1001, value = S-1-5-21-623575250-3528882096-2388268162-3002, timeout = Sat Jun 19 02:37:36 2010
[2010/06/14 11:43:21, 10] passdb/lookup_sid.c:1333(uid_to_sid)
  uid 1001 -> sid S-1-5-21-623575250-3528882096-2388268162-3002
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2522(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 1006 (domusr) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 2. Type = allow SID = S-1-5-32-544 uid 1001 (user1) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:838(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = S-1-5-32-544 uid 1001 (user1) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 1006 (domusr) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:3045(add_or_replace_ace)
  Replacing ACE 1 with SID S-1-5-32-545 and flags 00
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:3007(merge_default_aces)
  merge_default_aces: Merging ACE 3 onto ACE 1.
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:3372(posix_get_nt_acl)
  posix_get_nt_acl: called for file Temp/Neu Textdokument.txt
[2010/06/14 11:43:21, 10] lib/gencache.c:208(gencache_get)
  Returning valid cache entry: key = IDMAP/UID2SID/1010, value = S-1-5-21-623575250-3528882096-2388268162-3020, timeout = Sat Jun 19 02:39:58 2010
[2010/06/14 11:43:21, 10] passdb/lookup_sid.c:1333(uid_to_sid)
  uid 1010 -> sid S-1-5-21-623575250-3528882096-2388268162-3020
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2522(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 1006 (domusr) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:2535(canonicalise_acl)
  canon_ace index 2. Type = allow SID = S-1-5-32-544 uid 1010 (user2) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw-
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:838(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = S-1-5-32-544 uid 1010 (user2) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw-
  canon_ace index 1. Type = allow SID = S-1-5-32-545 gid 1006 (domusr) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 180 to (NT) 12019f
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 180 to (NT) 12019f
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:1116(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:3045(add_or_replace_ace)
  Replacing ACE 1 with SID S-1-5-32-545 and flags 00
[2010/06/14 11:43:21, 10] smbd/posix_acls.c:3007(merge_default_aces)
  merge_default_aces: Merging ACE 3 onto ACE 1.
[2010/06/14 11:43:21, 10] smbd/open.c:2952(create_file_unixpath)
  create_file_unixpath: open file Temp/Neu Textdokument.txt for delete ACCESS_DENIED
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                             Why is this being denied?



[2010/06/14 11:43:21, 10] smbd/open.c:3218(create_file_unixpath)
  create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2010/06/14 11:43:21, 10] smbd/open.c:3497(create_file_default)
  create_file: NT_STATUS_ACCESS_DENIED
[2010/06/14 11:43:21,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/nttrans.c(563) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED

---------------------------------------------------------------------------------------

-- 
8AAC 5F46 83B4 DB70 8317  3723 296C 6CCA 35A6 4134

More information about the samba mailing list