[Samba] Samba behaves differently than windows with layered-directory permissions
Shyam Kaushik
shyam at zadarastorage.com
Fri Jan 16 12:43:06 MST 2015
Hi Folks,
We are using samba-4.0.22. We have a very strange issue:
We have samba connected to AD & a folder layout like AA\BB\CC\
Folder AA – has explicit permission for "AD\user1"
Folder BB – does not inherit permission from AA & "AD\user1" is explicitly
removed
Folder CC – does not inherit permission from BB & "AD\user1" is added
If we browse through this folder layout in windows (logged in as
“AD\user1”) we see that
access to Folder AA - works
access to Folder BB - access denied as expected
access to Folder AA\BB\CC – works (i.e. specifying full path makes it
traverse the path & reach the end-directory, though an intermediate
directory does not have permission for the user)
The same folder/permission layout with a samba share
access to Folder AA - works
access to Folder BB - access denied as expected
access to Folder AA\BB\CC - access denied (i.e. even after specifying full
path, it fails)
>From Samba logs, this is the error that shows up (OpenDir on AA/BB level
fails for User1 & it stops there/returns error)
[2015/01/16 20:10:20.848204, 5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:421(unix_convert)
unix_convert begin: name = AA/BB/CC, dirpath = AA/BB, start = CC
[2015/01/16 20:10:20.848298, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)
is_mangled CC ?
[2015/01/16 20:10:20.848363, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
is_mangled_component CC (len 2) ?
[2015/01/16 20:10:20.848421, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)
is_mangled CC ?
[2015/01/16 20:10:20.848473, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
is_mangled_component CC (len 2) ?
[2015/01/16 20:10:20.848535, 5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/dir.c:1613(OpenDir)
OpenDir: Can't open AA/BB. Permission denied
[2015/01/16 20:10:20.848606, 3, pid=14604, effective(2021341, 2000514),
real(2021341, 0)]
../source3/smbd/filename.c:1150(get_real_filename_full_scan)
scan dir didn't open dir [AA/BB]
[2015/01/16 20:10:20.848661, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)
is_mangled CC ?
[2015/01/16 20:10:20.848712, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
is_mangled_component CC (len 2) ?
[2015/01/16 20:10:20.848764, 5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:816(unix_convert)
New file CC
[2015/01/16 20:10:20.848830, 5, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:1050(check_name)
check_name: name AA/BB/CC failed with NT_STATUS_ACCESS_DENIED
[2015/01/16 20:10:20.848885, 3, pid=14604, effective(2021341, 2000514),
real(2021341, 0)] ../source3/smbd/filename.c:1402(filename_convert_internal)
filename_convert_internal: check_name failed for name AA/BB/CC with
NT_STATUS_ACCESS_DENIED
[2015/01/16 20:10:20.848948, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)]
../source3/smbd/smb2_server.c:2618(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at
../source3/smbd/smb2_create.c:303
[2015/01/16 20:10:20.849008, 10, pid=14604, effective(2021341, 2000514),
real(2021341, 0)]
../source3/smbd/smb2_server.c:2511(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8]
dyn[yes:1] at ../source3/smbd/smb2_server.c:2671
Is this a known issue with Samba? Any suggestions on how to fix this & make
it similar to Native Windows behavior? Any help is much appreciated. Thanks.
--Shyam
More information about the samba
mailing list