[Samba] Samba + ACLs: Can’t add group write permissions
steve at steve-ss.com
steve at steve-ss.com
Thu Mar 28 07:48:55 MDT 2013
Hi MarvinI just tested it like this:-Made a domain group called staff.
getent group gives: staff:*:21114:lynn2,steve2-Domain users steve2 and
lynn2 are members of staff-Made a share in smb.conf:[shared]
path = /home/shared read only = No-Set the ACL on
/home/shared: chown root:staff /home/shared chmod g+s
/home/shared setfacl -R -m g:staff:rw,d:g:staff:rw /home/shareddrwxrws---+
2 root staff 4096 Mar 28 09:58 sharedwhich gives:# file: home/shared#
owner: root# group: staff# flags:
-s-user::rwxgroup::rwxgroup:staff:rw-mask::rwxother::---default:user::rwxdefault:group::rwxdefault:group:staff:rw-default:mask::rwxdefault:other::--- -
Mounted the share:mount -t cifs //hh1/shared /mnt
-osec=krb5,multiuser Here is a session with the 2 users: steve at hh1:/mnt>
su steve2Password:steve2 at hh1:/mnt> touch hola.txtsteve2 at hh1:/mnt> ls
-ltotal 1024-rwxrwx---+ 1 steve2 Domain Users 0 Mar 28 10:29
hola.txtsteve2 at hh1:/mnt> getfacl hola.txt# file: hola.txt# owner: steve2#
group:
Domain40Usersuser::rwxuser:steve2:rwxgroup::rwxgroup:Domain40Users:rwxgroup:staff:rw-mask::rwxother::---steve2 at hh1:/mnt>
su lynn2Password:lynn2 at hh1:/mnt> echo foo > hola.txtlynn2 at hh1:/mnt> cat
hola.txtfoolynn2 at hh1:/mnt> touch hola2.txtlynn2 at hh1:/mnt> ls -ltotal
2048-rwxrwx---+ 1 lynn2 Domain Users 0 Mar 28 10:30 hola2.txt-rwxrwx---+
1 steve2 Domain Users 4 Mar 28 10:30 hola.txtlynn2 at hh1:/mnt> Notes:- I set
the ACL as group rw but it appears as rwx- the sticky bit g+s is not
working for file creation on the cifs mount- the sticky bit only works on
the unmounted sharelynn2 at hh1:/home/shared> touch
hola3.txtlynn2 at hh1:/home/shared> ls -l hola3.txt-rw-rw----+ 1 lynn2 staff 0
Mar 28 10:36 hola3.txtlynn2 at hh1:/home/shared> getfacl hola3.txt# file:
hola3.txt# owner: lynn2# group: staffuser::rw-group::rwx
#effective:rw-group:staff:rw-mask::rw-other::---- - - So, a
bit of a mess. OK, so the group rw is working on this install but not for
you. How about setting the ACL's as I have them and give it another try?
Maybe mounting as multiuser also has something to do with it? HTH to clear
the confusion a bit. It's certainly got me even more ACL'd out than ever
before:(Cheers,Steve
On Thu 28/03/13 9:40 AM , Quintus wrote:Am Tue, 26 Mar 2013 19:38:48 +0100
schrieb steve :
> > WTF? Where did the write access for the group go?
> Hi Marvin
Hi Steve,
> Just a thought but I found out the hard way that when there are acl's
> set, e.g. in your file called test2, the -rw-r----- bit of the
> listing bit bears little resemblance to what the actual permissions
> are. Have you actually checked to see that the file test2 really
> isn't group writeable? Maybe worth a quick test.
I just tested it with another user and no, the file is really not
group-writable. But I found another really mysterious behaviour... This
time I’ve connected as user "steffi" who is in the "share" group as
well:
% sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt
I tried to create a file now as this user:
----------------------------------------------------
(1067) [9:28:47 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+ 2 root quintus 0 Mar 28 09:28 .
drwxr-xr-x 20 root root 4.0K Mar 19 17:32 ..
-rw-rw----+ 1 quintus quintus 0 Mar 26 14:54 test
-rw-r-----+ 1 quintus quintus 0 Mar 26 15:04 test2
(1068) [9:29:29 quintus at hades] /mnt
% touch test3
touch: cannot touch ‘test3’: Permission denied
(1069) [9:29:34 quintus at hades] /mnt
% ls -ahl
total 4.0K
drwxrws---+ 2 root quintus 0 Mar 28 09:29 .
drwxr-xr-x 20 root root 4.0K Mar 19 17:32 ..
-rw-rw----+ 1 quintus quintus 0 Mar 26 14:54 test
-rw-r-----+ 1 quintus quintus 0 Mar 26 15:04 test2
-rw-r-----+ 1 1002 quintus 0 Mar 28 09:29 test3
----------------------------------------------------
That is, I get a "permission denied" on the "touch" command, but the
file is there nevertheless...? How is this possible at all? Even worse,
I cannot write to the file I just created:
(1070) [9:29:35 quintus at hades] /mnt
% echo foo > test3
zsh: permission denied: test3
And no, the file is really empty (I’ve chceked it on the server via
SSH). Writing to the files owned by someone else, but still in the
"share" group doesn’t work either:
(1071) [9:31:19 quintus at hades] /mnt
% echo foo > test2
zsh: permission denied: test2
And again, this file really is empty.
On the server, the permissions are reported like this:
----------------------------------------------------
(433) [9:33:34 quintus at avalon] /srv/cifs/share
% ls -ahl
insgesamt 8,0K
drwxrws---+ 2 root share 4,0K 28. Mär 09:29 .
drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share 0 26. Mär 14:54 test
-rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2
-rw-r-----+ 1 steffi share 0 28. Mär 09:29 test3
(434) [9:33:41 quintus at avalon] /srv/cifs/share
% getfacl test3
# file: test3
# owner: steffi
# group: share
user::rw-
group::rwx#effective:r--
group:share:rwx#effective:r--
mask::r--
other::---
----------------------------------------------------
And I cannot write to the "test3" as user "quintus" on the server, but
as user "steffi" it works (again, through SSH):
----------------------------------------------------
(436) [9:35:32 quintus at avalon] /srv/cifs/share
% echo foo > test3
zsh: permission denied: test3
(437) [9:36:55 quintus at avalon] /srv/cifs/share
% ls -ahl
insgesamt 8,0K
drwxrws---+ 2 root share 4,0K 28. Mär 09:29 .
drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share 0 26. Mär 14:54 test
-rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2
-rw-r-----+ 1 steffi share 0 28. Mär 09:29 test3
(438) [9:36:57 quintus at avalon] /srv/cifs/share
% sudo su -s /bin/zsh - steffi
[sudo] password for quintus:
(1) [9:37:31 steffi at avalon] /
% cd /srv/cifs/share
(2) [9:37:35 steffi at avalon] /srv/cifs/share
% echo foo > test3
(3) [9:37:38 steffi at avalon] /srv/cifs/share
% ls -ahl
insgesamt 12K
drwxrws---+ 2 root share 4,0K 28. Mär 09:29 .
drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 ..
-rw-rw----+ 1 quintus share 0 26. Mär 14:54 test
-rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2
-rw-r-----+ 1 steffi share 4 28. Mär 09:37 test3
(4) [9:37:39 steffi at avalon] /srv/cifs/share
% cat test3
foo
----------------------------------------------------
> Cheers,
> Steve
Any idea?
Vale,
Marvin
--
Blog: http://pegasus-alpha.eu/blog [1]">http://pegasus-alpha.eu/blog
ASCII-Ribbon-Kampagne () | ASCII Ribbon Campaign ()
- Stoppt HTML-E-Mail / | - Against HTML E-Mail /
- Stoppt proprietäre Anhänge | - Against proprietary attachments
http://www.asciiribbon.org/index-de.html
[2]">www.asciiribbon.org/index-de.html | www.asciiribbon.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba [3]
-------------------------
Message sent via Atmail Open - http://atmail.org/
Links:
------
[1] http://pegasus-alpha.eu/blog
[2] http://www.asciiribbon.org/index-de.html
[3]
http://webmail.steve-ss.com/parse.php?redirect=https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list