[Samba] Samba + ACLs: Can’t add group write permissions

Quintus quintus at quintilianus.eu
Tue Mar 26 08:25:17 MDT 2013

Hi there,

I’ve been trying to get my head around a problem I have with Samba.
I’ve set up Samba 3.6.13 on a Raspberry Pi with Arch Linux ARM on it and
let it serve a couple of folders from an attached external ext4 drive
mounted to /srv/cifs (of course with the "acl" option enabled).

I’ve been trying to create a share that is read-writable for all
members of a particular UNIX user group (named "share"), but nobody
else (with the directory being at /srv/cifs/share), i.e. it has
permissions rwxrwx--- owner "root", group "share". Everything
(recursively) inside the /srv/cifs/share directory should always be
read-writable for anyone in  the "share" group. People easily forget
about setting rights themselves correctly for each file they create,
hence I wanted to modify the default ACLs for the /srv/cifs/share
directory to always allow members of group "share" to be able to read
and write all files inside that directory. The permissions I set on the
directory are as follows:

% ls -l
drwxrws---+ 2 root share     4096 26. Mär 14:24 share

% getfacl share
# file: share
# owner: root
# group: share
# flags: -s-

I’ve set the setgid bit so that additionally to the permissions the
group itself is correctly applied to new files as well. The default ACL
entries as far as I see grant all members of group "share" read and
write access, but deny it to anybody else. 

My username on that system is "quintus", and I’m member of group
"share". I can easily create a new file in the /srv/cifs/share
directory and it gets the permissions I expect from it:

(410) [14:54:55 quintus at avalon] /srv/cifs/share
% touch test
(411) [14:54:59 quintus at avalon] /srv/cifs/share
% ls -ahl
insgesamt 8,0K
drwxrws---+ 2 root    share 4,0K 26. Mär 14:54 .
drwxr-xr-x  7 root    root  4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share    0 26. Mär 14:54 test
(412) [14:55:01 quintus at avalon] /srv/cifs/share
% getfacl test
# file: test
# owner: quintus
# group: share
group::rwx			#effective:rw-
group:share:rwx			#effective:rw-

That is, the file "test" belongs to "quintus" and group "share", where
the "share" group automatically has write permissions on the file.

Now I try the same via samba. That is, on another system I mount the
CIFS share to /mnt like this ("avalon" is the Raspberry Pi):

% sudo mount //avalon/share -t cifs -o user=quintus,uid=quintus /mnt

It asks for my password and then correctly mounts the directory
to /mnt. As I don’t want my local "root" user being mapped to the
"quintus" user on the remote machine so that I have to use "sudo" for
everything I instruct mount to give it to the "quintus" user (me)
instead (yes, my username is "quintus" on both machines). This works
fine. Here’s what I get when inspecting this directory from the local
machine ("hades"):

(1046) [15:04:03 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+  2 quintus 1002    0 Mar 26 14:54 .
drwxr-xr-x  20 root    root 4.0K Mar 19 17:32 ..
-rw-rw----+  1 quintus 1002    0 Mar 26 14:54 test
(1047) [15:04:04 quintus at hades] /mnt
% getfacl test
# file: test
# owner: quintus
# group: 1002
group::rwx			#effective:rw-
group:1002:rwx			#effective:rw-

Again, as expected. I don’t have that GID on my local machine (hence
it shows up as numeric), but as far as I understand Samba automatically
maps this correctly when I create new files. Now I create a new file
from the local machine:

(1048) [15:04:10 quintus at hades] /mnt
% touch test2
(1049) [15:04:41 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+  2 quintus 1002    0 Mar 26 15:04 .
drwxr-xr-x  20 root    root 4.0K Mar 19 17:32 ..
-rw-rw----+  1 quintus 1002    0 Mar 26 14:54 test
-rw-r-----+  1 quintus 1002    0 Mar 26 15:04 test2
(1050) [15:04:45 quintus at hades] /mnt
% getfacl test2
# file: test2
# owner: quintus
# group: 1002
group::rwx			#effective:r--
group:1002:rwx			#effective:r--

WTF? Where did the write access for the group go? Why do I have this
"#effective" line and how does it get calculated? And why is the "mask"
parameter different from creating the file locally on the server?

To verify, I _am_ in the "share" group:

(419) [15:08:01 quintus at avalon] /srv/cifs/share
% grep share /etc/group

The [global] section of my /etc/samba/smb.conf looks like this (yes I
really use for network addresses, but this is another
story (I experimented with it to better understand networking) and I
will reset this to something in the 192.168. area when I have more


# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
   server string = My CIFS Server

# Security mode. Defines in which mode Samba will operate. Possible 
# values are share, user, server, domain and ads. Most people will want 
# user level security. See the Samba-HOWTO-Collection for details.
   security = user

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.
   hosts allow = 10.37. 127.

# There ain’t no printers in here!
load printers = no
printcap name = /dev/null

# Set log level to INFO.
log level = 2

The share definition looks like this:

   comment = Private share
   path = /srv/cifs/share
   public = no
   writable = yes
   printable = no
   valid users = +share

I’ve experimented with setting a number of other settings like "inherit
acls", but this didn’t change the result shown above.

I’ve been struggling with this the entire past day and was near to
writing a Cronjob that just resets the permissions every quarter
of an hour or so but I feel this is just the wrong way to do it and I
want to do this properly.

How can I achieve this automatic setting of permissions?


Blog: http://pegasus-alpha.eu/blog

ASCII-Ribbon-Kampagne        ()   | ASCII Ribbon Campaign        ()
- Stoppt HTML-E-Mail         /\   | - Against HTML E-Mail        /\
- Stoppt proprietäre Anhänge      | - Against proprietary attachments
www.asciiribbon.org/index-de.html | www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20130326/330d9d00/attachment.pgp>

More information about the samba mailing list