[Samba] [POSIX ACLs] Only ACE rules from Samba Primary Group are
applied.
Nelson Vale
nf-vale at critical-links.com
Thu Dec 6 12:28:00 GMT 2007
Hi,
I've a samba 3.0.24 server running in a debian "alike" OS with a
(Open)LDAP backend and I'm having the following problem:
I have LDAP users that belong to more than one (POSIX) group. For
instance, I have a user2 that belongs to group "users" and "grupo2" and
I have a share with the following ACL settings:
getfacl /home/shares/share1/
getfacl: Removing leading '/' from absolute path names
# file: home/shares/share1
# owner: user1
# group: grupo1
user::rwx
group::rwx
group:grupo2:r-x
group:users:rw-
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:grupo2:r-x
default:group:users:rw-
default:mask::rwx
default:other::---
user2 has group "grupo2" in the sambaPrimaryGroupSID in LDAP. If I login
with this user into "share1" and try to create a file it will get
"Permission Denied". If I login as user2 in system and go to share1
folder I'm able to create files, so settings are OK. Also if I use the
"write list = @users" I'm able to create files when I'm connected to the
share.
In the samba logs I can see that the ACL -> UNIX convertion seems fine:
gid_to_sid: local 100 -> S-1-22-2-100
canonicalise_acl: Access ace entries before arrange :
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms
---
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP perms rw-
canon_ace index 2. Type = allow SID = S-1-22-2-1001 gid 1001 (grupo2)
SMB_ACL_GROUP_OBJ perms r-x
canon_ace index 3. Type = allow SID =
S-1-5-21-822431398-922470320-1179183166-1666 uid 1666 (user2)
SMB_ACL_USER_OBJ perms rwx
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID =
S-1-5-21-822431398-922470320-1179183166-1666 uid 1666 (user2)
SMB_ACL_USER_OBJ perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users)
SMB_ACL_GROUP perms rw-
canon_ace index 2. Type = allow SID = S-1-22-2-1001 gid 1001 (grupo2)
SMB_ACL_GROUP_OBJ perms r-x
canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms
---
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 180 to (NT) 12019f
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
But when I try to create the file I get:
New file New Text Document (2).txt
unix_mode(New Text Document (2).txt) inheriting from .
unix_mode(New Text Document (2).txt) inherit mode 42770
unix_mode(New Text Document.txt) returning 0760
open_file_ntcreate: fname=New Text Document.txt, dos_attrs=0x80
access_mask=0x2019f share_access=0x7 create_disposition = 0x2
create_options=0x40 unix mode=0760 oplock_request=3
open_file_ntcreate: fname=New Text Document.txt, after mapping
access_mask=0x2019f
allocated file structure 2723, fnum = 6819 (2 used)
calling open_file with flags=0x2 flags2=0x80 mode=0777, access_mask =
0x2019f, open_access_mask = 0x2019f
Permission denied opening New Text Document (2).txt
If I use the "write list = @users" I get:
New file New Briefcase
[2007/12/06 13:54:04, 2] smbd/dosmode.c:unix_mode(96)
unix_mode(New Briefcase) inheriting from .
[2007/12/06 13:54:04, 2] smbd/dosmode.c:unix_mode(104)
unix_mode(New Briefcase) inherit mode 42770
[2007/12/06 13:54:04, 3] smbd/dosmode.c:unix_mode(147)
unix_mode(New Briefcase) returning 0760
[2007/12/06 13:54:04, 10] smbd/open.c:open_file_ntcreate(1144)
open_file_ntcreate: fname=New Briefcase, dos_attrs=0x80
access_mask=0x2019f share_access=0x7 create_disposition = 0x2
create_options=0x40 unix mode=0760 oplock_request=3
[2007/12/06 13:54:04, 10] smbd/open.c:open_file_ntcreate(1306)
open_file_ntcreate: fname=New Briefcase, after mapping
access_mask=0x2019f
[2007/12/06 13:54:04, 5] smbd/files.c:file_new(126)
allocated file structure 5967, fnum = 10063 (2 used)
[2007/12/06 13:54:04, 4] smbd/open.c:open_file_ntcreate(1545)
calling open_file with flags=0x2 flags2=0xC0 mode=0777, access_mask =
0x2019f, open_access_mask = 0x2019f
[2007/12/06 13:54:04, 10] smbd/open.c:fd_open(56)
fd_open: name New Briefcase, flags = 0302 mode = 0777, fd = 26.
[2007/12/06 13:54:04, 2] smbd/open.c:open_file(352)
nelsonvale opened file New Briefcase read=Yes write=Yes (numopen=2)
[2007/12/06 13:54:04, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 1000) : sec_ctx_stack_ndx = 1
[2007/12/06 13:54:04, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2007/12/06 13:54:04, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/06 13:54:04, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
What I've figured so far is that UNIX file access rules works fine, but
for POSIX ACLs only Primary Group access rules are applied for ACL
settings.
The differences I see between the two cases are in "flags2" variable in
"calling open_file" FOR THE SAME SHARE, USER AND GROUP SETTINGS:
ACLs only:
calling open_file with flags=0x2 flags2=0x80 mode=0777, access_mask =
0x2019f, open_access_mask = 0x2019f
"write list":
calling open_file with flags=0x2 flags2=0xC0 mode=0777, access_mask =
0x2019f, open_access_mask = 0x2019f
The smb.conf file is like:
[share1]
security mask = 0777
inherit owner = yes
hide unreadable = no
create mask = 0770
force directory security mode = 0
public = no
directory security mask = 2777
inherit acls = yes
nt acl support = yes
browseable = yes
writeable = no
inherit permissions = yes
path = /home/shares/share1
force security mode = 0
directory mask = 2770
comment = Samba Test Share
[global]
log file = /var/log/samba.log
ldap user suffix = ou=People
passwd chat = *new password* %n\n *retype password* %n\n
*changed*
idmap gid = 10000-20000
logon drive = z:
ldap password sync = yes
domain master = yes
wins proxy = no
passdb backend = ldapsam:ldap://127.0.0.1:389
wins support = yes
ldap delete dn = Yes
server string = Samba Server
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
idmap uid = 10000-20000
logon script = netlogon.sh
ldap suffix = dc=local,dc=loc
local master = yes
workgroup = SAMBAWORKGROUP
ldap admin dn = cn=Administrator,ou=People,dc=local,dc=loc
printcap name = cups
security = user
ldap idmap suffix = ou=Idmap
preferred master = yes
log level = 99
domain logons = yes
More information about the samba
mailing list