[Samba] Modify permission not available unless group permissions are set to write.
Andrew Masterton
avenging at gmail.com
Fri Oct 29 09:57:26 MDT 2010
I've been wrestling with a problem on newer versions of samba with a
configuration that "used" to work in samba 3.0.33 (RedHat Enterpise 5
packages) This maybe due to changes in the may samba maps NT permissions,
but i'm not sure so I thought I would ask.
I have a samba 3.3.8 (RedHat Enterprise 5.5 Samba3x packages) and samba
3.4.4 (Redhat Enterprise 6 beta packages) installation both connected to
active directory with samba/windbind set-up as below (slightly adjusted from
the true workgroup/server names):
workgroup = WORK-GROUP
password server = server.ac.uk
realm = TEST.AC.UK
security = ads
idmap backend = tdb
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind offline logon = false
winbind separator = +
And a share set-up as below:
[blah]
path = /home/blah
writeable = yes
force user = %D+andy
force group = apache
valid users = %D+andy
I have the folder blah set with the following permissions:
drwxrwxr-x. 4 andy apache 4096 Oct 29 11:56 /home/blah
Inside the folder I have 2 additional folders one with group write bit set
and one without
drwxrwxr-x. 3 andy apache 4096 Oct 29 15:44 withgroupperm
drwxr-xr-x. 3 andy apache 4096 Oct 29 15:50 withoutgroupperm
With this configuration I can create files and folders no problem in either
of the subfolders by connecting as myself (andy), I can also modifiy the
contents of files, but I cannot change the name of files/folders in the
subdirectory that doesn't have the group write permission set. According to
Windows I don't have the "modify" permission.
In Samba 3.0.33 on RedHat Enterprise 5 this worked although it would appear
that even under 3.0.33 you do not have the "modify" permission set. I don't
know if this was a bug that was fixed, but I would've thought as the owner
of the folder and the "rwx" permission bits set for myself and the files
also having "rwx" permissions for myself I should be able to change the
names of files/folders that I have created within that folder via samba?
Am I going mad?
Here is a samba log extract at loglevel 10 that shows the ACL check and the
eventual access denied (on 3.4.4)
[2010/10/29 16:51:22, 10] smbd/open.c:2896(create_file_unixpath)
create_file_unixpath: access_mask = 0x110080 file_attributes = 0x0,
share_access = 0x7, create_disposition = 0x1 create_options = 0x200000
oplock_request = 0x0 ea_list = 0x(nil), sd = 0x(nil), fname =
withoutgroupperm/New Text Document.txt
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:3369(posix_get_nt_acl)
posix_get_nt_acl: called for file withoutgroupperm
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2519(canonicalise_acl)
canonicalise_acl: Access ace entries before arrange :
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
canon_ace index 2. Type = allow SID =
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:838(print_canon_ace_list)
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID =
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:3369(posix_get_nt_acl)
posix_get_nt_acl: called for file withoutgroupperm/New Text Document.txt
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2519(canonicalise_acl)
canonicalise_acl: Access ace entries before arrange :
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r--
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r--
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:2532(canonicalise_acl)
canon_ace index 2. Type = allow SID =
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:838(print_canon_ace_list)
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID =
S-1-5-21-2118997552-836320393-1615622311-6605 uid 16777216 (andy)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-22-2-495 gid 495 (apache)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r--
canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r--
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1e01ff
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
[2010/10/29 16:51:22, 10] smbd/posix_acls.c:1113(map_canon_ace_perms)
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
[2010/10/29 16:51:22, 10] smbd/open.c:2952(create_file_unixpath)
create_file_unixpath: open file withoutgroupperm/New Text Document.txt for
delete ACCESS_DENIED
[2010/10/29 16:51:22, 10] smbd/open.c:3218(create_file_unixpath)
create_file_unixpath: NT_STATUS_ACCESS_DENIED
[2010/10/29 16:51:22, 10] smbd/open.c:3497(create_file_default)
create_file: NT_STATUS_ACCESS_DENIED
[2010/10/29 16:51:22, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/nttrans.c(563) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED
Many thanks,
-Andrew
More information about the samba
mailing list