[Samba] permission denied with windows acls
Peter Carlson
peter at howudodat.com
Tue Jan 30 19:17:47 UTC 2024
On 1/30/24 02:12, Rowland Penny via samba wrote:
> On Mon, 29 Jan 2024 16:42:20 -0800
> Peter Carlson via samba<samba at lists.samba.org> wrote:
>
>> On 1/29/24 13:08, Rowland Penny via samba wrote:
>>> On Mon, 29 Jan 2024 12:51:37 -0800
>>> Peter Carlson via samba<samba at lists.samba.org> wrote:
>>>
>>>
>>>> Just did a quick test, the big T comes after setting permissions in
>>>> windows
>>>>
>>>> root at fs1:/var/log# cd /data
>>>> root at fs1:/data# mkdir -m 1777 test2
>>> No it doesn't, you are setting it.
>>>
>>> I set the permissions on the share directory like this:
>>>
>>> mkdir -p /srv/mtest1
>>> chown root:"Domain Admins" /srv/mtest1
>>> chmod 0770 /srv/mtest1
>>>
>>> Which is what it shows here:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>>> root at fs1:/data# chown root:"CARLSON\\domain admins" test2
>>>> root at fs1:/data# vi /etc/samba/smb.conf
>>>> root at fs1:/data# systemctl restart smbd.service
>>>> root at fs1:/data# ls -ald /data/*
>>>> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13
>>>> /data/test drwxrwxrwt 2 root CARLSON\domain admins 4096 Jan 29
>>>> 20:43 /data/test2
>>> No, I take it back (slightly), you set the permissions with 't'
>>> (which shows the sticky bit is set) and then when you change the
>>> permissions from Windows, acl_xattr removes the 'rwx' from
>>> 'others', this changes the 't' to a 'T'
>>>
>>> At least that is what I think is happening.
>>>
>>> The cure, stop setting the permissions to '1777' in the first place,
>>> use '0770'
>>>
>>> Rowland
>>>
>> ok so I reset it and used mode 0770 and it still doesn't mount
>> without domain users (or computers) as a permission
>>
>> root at fs1:/data# rm -fr test2
>> root at fs1:/data# mkdir -m 0777 test2
>> root at fs1:/data# chown root:"CARLSON\\domain admins" test2
>> root at fs1:/data# ls -ald /data/*
>> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13 /data/test
>> drwxrwx---+ 2 root CARLSON\domain admins 4096 Jan 30 00:30 /data/test2
>>
>> --------------- Set Windows ACLs ---------------------
>>
> I don't understand this.
>
> I can just start the VM (debian 12, Samba 4.19.4)
> log in as 'rowland'
> go to 'Places' -> 'Computer'
> Double click 'File System'
> Double click '/mnt'
> All the mounted shares are there and I can interact with them.
>
> If I run 'mount', I find these lines:
>
> adminuser at testdm12:~$ mount
> .................
> //devstation.samdom.example.com/data on /mnt/test type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
> //devstation.samdom.example.com/Mtest1 on /mnt/testmount1 type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
> //devstation.samdom.example.com/Mtest on /mnt/testmount type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
>
> Now remember that these are mounts, so the permissions on the client are
> going to look wrong:
>
> adminuser at testdm12:~$ sudo ls -la /mnt/testmount1
> total 12
> drwxr-xr-x 2 root root 0 Jan 30 09:44 .
> drwxr-xr-x 6 root root 4096 Jan 29 19:11 ..
> -rwxr-xr-x 1 root root 11 Jan 30 09:44 doctest1
>
> I have to go to the server to find the correct permissions:
>
> rowland at devstation:~$ ls -la /srv/mtest1
> total 20
> drwxrwx---+ 2 root domain admins 4096 Jan 30 09:44 .
> drwxr-xr-x 23 root root 4096 Jan 29 18:54 ..
> -rwxrwxr-x+ 1 rowland domain users 11 Jan 30 09:44 doctest1
>
> rowland at devstation:~$ getfacl /srv/mtest1/doctest1
> getfacl: Removing leading '/' from absolute path names
> # file: srv/mtest1/doctest1
> # owner: rowland
> # group: domain\040users
> user::rwx
> user:domain\040users:r-x
> group::r-x
> group:domain\040users:r-x
> group:rowland:rwx
> mask::rwx
> other::r-x
>
> There must be some difference between your machines and mine, but I do
> not know what.
>
> Rowland
>
I dont know what the difference might be, but at the moment, since this
works by adding the computer to the permissions, I'm ok with it. I'm
happy to keep trying to figure out the difference if it is useful to
the team. Otherwise I'm also good to let it go. I did spin up 3 new
servers (all running ubuntu 22.04.03). A new DC, FS and client. New
realm. And the result is exactly the same. It's really bizarre. Here
is your mount next to mine.
//devstation.samdom.example.com/data on /mnt/test type cifs
(rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,
file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
//fs1.int.peter.lab/test on /mnt/test type cifs
(rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.62,
file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1,_netdev)
Peter
More information about the samba
mailing list