[Samba] permission denied with windows acls

Peter Carlson peter at howudodat.com
Tue Jan 30 19:17:47 UTC 2024 

On 1/30/24 02:12, Rowland Penny via samba wrote:
> On Mon, 29 Jan 2024 16:42:20 -0800
> Peter Carlson via samba<samba at lists.samba.org>  wrote:
>
>> On 1/29/24 13:08, Rowland Penny via samba wrote:
>>> On Mon, 29 Jan 2024 12:51:37 -0800
>>> Peter Carlson via samba<samba at lists.samba.org>   wrote:
>>>
>>>
>>>> Just did a quick test, the big T comes after setting permissions in
>>>> windows
>>>>
>>>> root at fs1:/var/log# cd /data
>>>> root at fs1:/data# mkdir -m 1777 test2
>>> No it doesn't, you are setting it.
>>>
>>> I set the permissions on the share directory like this:
>>>
>>> mkdir -p /srv/mtest1
>>> chown root:"Domain Admins" /srv/mtest1
>>> chmod 0770 /srv/mtest1
>>>
>>> Which is what it shows here:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>>> root at fs1:/data# chown root:"CARLSON\\domain admins" test2
>>>> root at fs1:/data# vi /etc/samba/smb.conf
>>>> root at fs1:/data# systemctl restart smbd.service
>>>> root at fs1:/data# ls -ald /data/*
>>>> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13
>>>> /data/test drwxrwxrwt  2 root CARLSON\domain admins 4096 Jan 29
>>>> 20:43 /data/test2
>>> No, I take it back (slightly), you set the permissions with 't'
>>> (which shows the sticky bit is set) and then when you change the
>>> permissions from Windows, acl_xattr removes the 'rwx' from
>>> 'others', this changes the 't' to a 'T'
>>>
>>> At least that is what I think is happening.
>>>
>>> The cure, stop setting the permissions to '1777' in the first place,
>>> use '0770'
>>>
>>> Rowland
>>>
>> ok so I reset it and used mode 0770 and it still doesn't mount
>> without domain users (or computers) as a permission
>>
>> root at fs1:/data# rm -fr test2
>> root at fs1:/data# mkdir -m 0777 test2
>> root at fs1:/data# chown root:"CARLSON\\domain admins" test2
>> root at fs1:/data# ls -ald /data/*
>> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13 /data/test
>> drwxrwx---+ 2 root CARLSON\domain admins 4096 Jan 30 00:30 /data/test2
>>
>> ---------------  Set Windows ACLs ---------------------
>>
> I don't understand this.
>
> I can just start the VM (debian 12, Samba 4.19.4)
> log in as 'rowland'
> go to 'Places' -> 'Computer'
> Double click 'File System'
> Double click '/mnt'
> All the mounted shares are there and I can interact with them.
>
> If I run 'mount', I find these lines:
>
> adminuser at testdm12:~$ mount
> .................
> //devstation.samdom.example.com/data on /mnt/test type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
> //devstation.samdom.example.com/Mtest1 on /mnt/testmount1 type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
> //devstation.samdom.example.com/Mtest on /mnt/testmount type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
>
> Now remember that these are mounts, so the permissions on the client are
> going to look wrong:
>
> adminuser at testdm12:~$ sudo ls -la /mnt/testmount1
> total 12
> drwxr-xr-x 2 root root    0 Jan 30 09:44 .
> drwxr-xr-x 6 root root 4096 Jan 29 19:11 ..
> -rwxr-xr-x 1 root root   11 Jan 30 09:44 doctest1
>
> I have to go to the server to find the correct permissions:
>
> rowland at devstation:~$ ls -la /srv/mtest1
> total 20
> drwxrwx---+  2 root    domain admins 4096 Jan 30 09:44 .
> drwxr-xr-x  23 root    root          4096 Jan 29 18:54 ..
> -rwxrwxr-x+  1 rowland domain users    11 Jan 30 09:44 doctest1
>
> rowland at devstation:~$ getfacl /srv/mtest1/doctest1
> getfacl: Removing leading '/' from absolute path names
> # file: srv/mtest1/doctest1
> # owner: rowland
> # group: domain\040users
> user::rwx
> user:domain\040users:r-x
> group::r-x
> group:domain\040users:r-x
> group:rowland:rwx
> mask::rwx
> other::r-x
>
> There must be some difference between your machines and mine, but I do
> not know what.
>
> Rowland
>
I dont know what the difference might be, but at the moment, since this 
works by adding the computer to the permissions, I'm ok with it. I'm 
happy to keep trying to figure  out the difference if it is useful to 
the team.  Otherwise I'm also good to let it go. I did spin up 3 new 
servers (all running ubuntu 22.04.03).  A new DC, FS and client.  New 
realm.  And the result is exactly the same.  It's really bizarre.  Here 
is your mount next to mine.

//devstation.samdom.example.com/data on /mnt/test type cifs 
(rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,
file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)

//fs1.int.peter.lab/test on /mnt/test type cifs 
(rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.62,
file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1,_netdev)

Peter

More information about the samba mailing list