[Samba] Samba + ACLs: Can’t add group write permissions

steve at steve-ss.com steve at steve-ss.com
Thu Mar 28 07:48:55 MDT 2013 

 Hi MarvinI just tested it like this:-Made a domain group called staff.
getent group gives:    staff:*:21114:lynn2,steve2-Domain users steve2 and
lynn2 are members of staff-Made a share in smb.conf:[shared]       
path = /home/shared        read only = No-Set the ACL on
/home/shared: chown root:staff /home/shared chmod g+s
/home/shared setfacl -R -m g:staff:rw,d:g:staff:rw /home/shareddrwxrws---+
 2 root  staff  4096 Mar 28 09:58 sharedwhich gives:# file: home/shared#
owner: root# group: staff# flags:
-s-user::rwxgroup::rwxgroup:staff:rw-mask::rwxother::---default:user::rwxdefault:group::rwxdefault:group:staff:rw-default:mask::rwxdefault:other::--- -
Mounted the share:mount -t cifs //hh1/shared /mnt
-osec=krb5,multiuser Here is a session with the 2 users: steve at hh1:/mnt>
su steve2Password:steve2 at hh1:/mnt> touch hola.txtsteve2 at hh1:/mnt> ls
-ltotal 1024-rwxrwx---+ 1 steve2 Domain Users 0 Mar 28 10:29
hola.txtsteve2 at hh1:/mnt> getfacl hola.txt# file: hola.txt# owner: steve2#
group:
Domain40Usersuser::rwxuser:steve2:rwxgroup::rwxgroup:Domain40Users:rwxgroup:staff:rw-mask::rwxother::---steve2 at hh1:/mnt>
su lynn2Password:lynn2 at hh1:/mnt> echo foo > hola.txtlynn2 at hh1:/mnt> cat
hola.txtfoolynn2 at hh1:/mnt> touch hola2.txtlynn2 at hh1:/mnt> ls -ltotal
2048-rwxrwx---+ 1 lynn2  Domain Users 0 Mar 28 10:30 hola2.txt-rwxrwx---+
1 steve2 Domain Users 4 Mar 28 10:30 hola.txtlynn2 at hh1:/mnt> Notes:- I set
the ACL as group rw but it appears as rwx- the sticky bit g+s is not
working for file creation on the cifs mount- the sticky bit only works on
the unmounted sharelynn2 at hh1:/home/shared> touch
hola3.txtlynn2 at hh1:/home/shared> ls -l hola3.txt-rw-rw----+ 1 lynn2 staff 0
Mar 28 10:36 hola3.txtlynn2 at hh1:/home/shared> getfacl hola3.txt# file:
hola3.txt# owner: lynn2# group: staffuser::rw-group::rwx            
         #effective:rw-group:staff:rw-mask::rw-other::---- - - So, a
bit of a mess. OK, so the group rw is working on this install but not for
you. How about setting the ACL's as I have them and give it another try?
Maybe mounting as multiuser also has something to do with it? HTH to clear
the confusion a bit. It's certainly got me even more ACL'd out than ever
before:(Cheers,Steve

On Thu 28/03/13 9:40 AM , Quintus  wrote:Am Tue, 26 Mar 2013 19:38:48 +0100
 schrieb steve :
 > > WTF? Where did the write access for the group go?
 > Hi Marvin

 Hi Steve,

 > Just a thought but I found out the hard way that when there are acl's
 > set, e.g. in your file called test2, the -rw-r----- bit of the
 > listing bit bears little resemblance to what the actual permissions
 > are. Have you actually checked to see that the file test2 really
 > isn't group writeable? Maybe worth a quick test.

 I just tested it with another user and no, the file is really not
 group-writable. But I found another really mysterious behaviour... This
 time I’ve connected as user "steffi" who is in the "share" group as
 well:

 % sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt

 I tried to create a file now as this user:

 ----------------------------------------------------
 (1067) [9:28:47 quintus at hades] /mnt
 % ls -ahl
 total 4.0K
 drwxrws---+ 2 root quintus 0 Mar 28 09:28 .
 drwxr-xr-x 20 root root 4.0K Mar 19 17:32 ..
 -rw-rw----+ 1 quintus quintus 0 Mar 26 14:54 test
 -rw-r-----+ 1 quintus quintus 0 Mar 26 15:04 test2
 (1068) [9:29:29 quintus at hades] /mnt
 % touch test3
 touch: cannot touch ‘test3’: Permission denied
 (1069) [9:29:34 quintus at hades] /mnt
 % ls -ahl
 total 4.0K
 drwxrws---+ 2 root quintus 0 Mar 28 09:29 .
 drwxr-xr-x 20 root root 4.0K Mar 19 17:32 ..
 -rw-rw----+ 1 quintus quintus 0 Mar 26 14:54 test
 -rw-r-----+ 1 quintus quintus 0 Mar 26 15:04 test2
 -rw-r-----+ 1 1002 quintus 0 Mar 28 09:29 test3
 ----------------------------------------------------

 That is, I get a "permission denied" on the "touch" command, but the
 file is there nevertheless...? How is this possible at all? Even worse,
 I cannot write to the file I just created:

 (1070) [9:29:35 quintus at hades] /mnt
 % echo foo > test3
 zsh: permission denied: test3

 And no, the file is really empty (I’ve chceked it on the server via
 SSH). Writing to the files owned by someone else, but still in the
 "share" group doesn’t work either:

 (1071) [9:31:19 quintus at hades] /mnt
 % echo foo > test2
 zsh: permission denied: test2

 And again, this file really is empty.

 On the server, the permissions are reported like this:

 ----------------------------------------------------
 (433) [9:33:34 quintus at avalon] /srv/cifs/share
 % ls -ahl
 insgesamt 8,0K
 drwxrws---+ 2 root share 4,0K 28. Mär 09:29 .
 drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 ..
 -rw-rw----+ 1 quintus share 0 26. Mär 14:54 test
 -rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2
 -rw-r-----+ 1 steffi share 0 28. Mär 09:29 test3
 (434) [9:33:41 quintus at avalon] /srv/cifs/share
 % getfacl test3
 # file: test3
 # owner: steffi
 # group: share
 user::rw-
 group::rwx#effective:r--
 group:share:rwx#effective:r--
 mask::r--
 other::---
 ----------------------------------------------------

 And I cannot write to the "test3" as user "quintus" on the server, but
 as user "steffi" it works (again, through SSH):

 ----------------------------------------------------
 (436) [9:35:32 quintus at avalon] /srv/cifs/share
 % echo foo > test3
 zsh: permission denied: test3
 (437) [9:36:55 quintus at avalon] /srv/cifs/share
 % ls -ahl
 insgesamt 8,0K
 drwxrws---+ 2 root share 4,0K 28. Mär 09:29 .
 drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 ..
 -rw-rw----+ 1 quintus share 0 26. Mär 14:54 test
 -rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2
 -rw-r-----+ 1 steffi share 0 28. Mär 09:29 test3
 (438) [9:36:57 quintus at avalon] /srv/cifs/share
 % sudo su -s /bin/zsh - steffi
 [sudo] password for quintus:
 (1) [9:37:31 steffi at avalon] /
 % cd /srv/cifs/share
 (2) [9:37:35 steffi at avalon] /srv/cifs/share
 % echo foo > test3
 (3) [9:37:38 steffi at avalon] /srv/cifs/share
 % ls -ahl
 insgesamt 12K
 drwxrws---+ 2 root share 4,0K 28. Mär 09:29 .
 drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 ..
 -rw-rw----+ 1 quintus share 0 26. Mär 14:54 test
 -rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2
 -rw-r-----+ 1 steffi share 4 28. Mär 09:37 test3
 (4) [9:37:39 steffi at avalon] /srv/cifs/share
 % cat test3
 foo
 ----------------------------------------------------

 > Cheers,
 > Steve

 Any idea?

 Vale,
 Marvin

 --
 Blog: http://pegasus-alpha.eu/blog [1]">http://pegasus-alpha.eu/blog

 ASCII-Ribbon-Kampagne () | ASCII Ribbon Campaign ()
 - Stoppt HTML-E-Mail / | - Against HTML E-Mail /
 - Stoppt proprietäre Anhänge | - Against proprietary attachments
 http://www.asciiribbon.org/index-de.html
[2]">www.asciiribbon.org/index-de.html | www.asciiribbon.org

 --
 To unsubscribe from this list go to the following URL and read the
 instructions: https://lists.samba.org/mailman/options/samba [3]

-------------------------
Message sent via Atmail Open - http://atmail.org/

Links:
------
[1] http://pegasus-alpha.eu/blog
[2] http://www.asciiribbon.org/index-de.html
[3]
http://webmail.steve-ss.com/parse.php?redirect=https://lists.samba.org/mailman/options/samba

More information about the samba mailing list