[Samba] Samba + ACLs: Can’t add group write permissions
Quintus
quintus at quintilianus.eu
Tue Mar 26 08:25:17 MDT 2013
Hi there,
I’ve been trying to get my head around a problem I have with Samba.
I’ve set up Samba 3.6.13 on a Raspberry Pi with Arch Linux ARM on it and
let it serve a couple of folders from an attached external ext4 drive
mounted to /srv/cifs (of course with the "acl" option enabled).
I’ve been trying to create a share that is read-writable for all
members of a particular UNIX user group (named "share"), but nobody
else (with the directory being at /srv/cifs/share), i.e. it has
permissions rwxrwx--- owner "root", group "share". Everything
(recursively) inside the /srv/cifs/share directory should always be
read-writable for anyone in the "share" group. People easily forget
about setting rights themselves correctly for each file they create,
hence I wanted to modify the default ACLs for the /srv/cifs/share
directory to always allow members of group "share" to be able to read
and write all files inside that directory. The permissions I set on the
directory are as follows:
--------------------------------------------------------------
% ls -l
drwxrws---+ 2 root share 4096 26. Mär 14:24 share
% getfacl share
# file: share
# owner: root
# group: share
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:share:rwx
default:mask::rwx
default:other::---
--------------------------------------------------------------
I’ve set the setgid bit so that additionally to the permissions the
group itself is correctly applied to new files as well. The default ACL
entries as far as I see grant all members of group "share" read and
write access, but deny it to anybody else.
My username on that system is "quintus", and I’m member of group
"share". I can easily create a new file in the /srv/cifs/share
directory and it gets the permissions I expect from it:
--------------------------------------------------------------
(410) [14:54:55 quintus at avalon] /srv/cifs/share
% touch test
(411) [14:54:59 quintus at avalon] /srv/cifs/share
% ls -ahl
insgesamt 8,0K
drwxrws---+ 2 root share 4,0K 26. Mär 14:54 .
drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share 0 26. Mär 14:54 test
(412) [14:55:01 quintus at avalon] /srv/cifs/share
% getfacl test
# file: test
# owner: quintus
# group: share
user::rw-
group::rwx #effective:rw-
group:share:rwx #effective:rw-
mask::rw-
other::---
--------------------------------------------------------------
That is, the file "test" belongs to "quintus" and group "share", where
the "share" group automatically has write permissions on the file.
Now I try the same via samba. That is, on another system I mount the
CIFS share to /mnt like this ("avalon" is the Raspberry Pi):
% sudo mount //avalon/share -t cifs -o user=quintus,uid=quintus /mnt
It asks for my password and then correctly mounts the directory
to /mnt. As I don’t want my local "root" user being mapped to the
"quintus" user on the remote machine so that I have to use "sudo" for
everything I instruct mount to give it to the "quintus" user (me)
instead (yes, my username is "quintus" on both machines). This works
fine. Here’s what I get when inspecting this directory from the local
machine ("hades"):
--------------------------------------------------------------
(1046) [15:04:03 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+ 2 quintus 1002 0 Mar 26 14:54 .
drwxr-xr-x 20 root root 4.0K Mar 19 17:32 ..
-rw-rw----+ 1 quintus 1002 0 Mar 26 14:54 test
(1047) [15:04:04 quintus at hades] /mnt
% getfacl test
# file: test
# owner: quintus
# group: 1002
user::rw-
group::rwx #effective:rw-
group:1002:rwx #effective:rw-
mask::rw-
other::---
--------------------------------------------------------------
Again, as expected. I don’t have that GID on my local machine (hence
it shows up as numeric), but as far as I understand Samba automatically
maps this correctly when I create new files. Now I create a new file
from the local machine:
--------------------------------------------------------------
(1048) [15:04:10 quintus at hades] /mnt
% touch test2
(1049) [15:04:41 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+ 2 quintus 1002 0 Mar 26 15:04 .
drwxr-xr-x 20 root root 4.0K Mar 19 17:32 ..
-rw-rw----+ 1 quintus 1002 0 Mar 26 14:54 test
-rw-r-----+ 1 quintus 1002 0 Mar 26 15:04 test2
(1050) [15:04:45 quintus at hades] /mnt
% getfacl test2
# file: test2
# owner: quintus
# group: 1002
user::rw-
group::rwx #effective:r--
group:1002:rwx #effective:r--
mask::r--
other::---
--------------------------------------------------------------
WTF? Where did the write access for the group go? Why do I have this
"#effective" line and how does it get calculated? And why is the "mask"
parameter different from creating the file locally on the server?
To verify, I _am_ in the "share" group:
(419) [15:08:01 quintus at avalon] /srv/cifs/share
% grep share /etc/group
share:x:1002:quintus
The [global] section of my /etc/samba/smb.conf looks like this (yes I
really use 10.37.0.0/16 for network addresses, but this is another
story (I experimented with it to better understand networking) and I
will reset this to something in the 192.168. area when I have more
time):
--------------------------------------------------------------
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
workgroup = WORKGROUP
# server string is the equivalent of the NT Description field
server string = My CIFS Server
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
security = user
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
hosts allow = 10.37. 127.
# There ain’t no printers in here!
load printers = no
printcap name = /dev/null
# Set log level to INFO.
log level = 2
--------------------------------------------------------------
The share definition looks like this:
--------------------------------------------------------------
[share]
comment = Private share
path = /srv/cifs/share
public = no
writable = yes
printable = no
valid users = +share
--------------------------------------------------------------
I’ve experimented with setting a number of other settings like "inherit
acls", but this didn’t change the result shown above.
I’ve been struggling with this the entire past day and was near to
writing a Cronjob that just resets the permissions every quarter
of an hour or so but I feel this is just the wrong way to do it and I
want to do this properly.
How can I achieve this automatic setting of permissions?
Valete,
Marvin
--
Blog: http://pegasus-alpha.eu/blog
ASCII-Ribbon-Kampagne () | ASCII Ribbon Campaign ()
- Stoppt HTML-E-Mail /\ | - Against HTML E-Mail /\
- Stoppt proprietäre Anhänge | - Against proprietary attachments
www.asciiribbon.org/index-de.html | www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20130326/330d9d00/attachment.pgp>
More information about the samba
mailing list