[Samba] Does Samba 4 actually respect Unix file acls?

Rufe Glick rufe.glick at gmail.com
Fri Dec 19 20:05:23 MST 2014

Hello Jeremy,

Friday, December 19, 2014, 7:00:06 PM, you wrote:

> On Fri, Dec 19, 2014 at 06:31:33PM -0500, Rufe Glick wrote:
>> Hello Jeremy,

>> Friday, December 19, 2014, 4:55:21 PM, you wrote:

>> > On Fri, Dec 19, 2014 at 03:58:58PM -0500, Rufe Glick wrote:
>> >> Hello Jeremy,

>> >> > Do alice and bob have the same user ids on client
>> >> > and server ?

>> >> Yes, the uids and gids are identical on both server and client machines.

>> > Then it should work. Set debug level 10 on the smbd
>> > and look for ACCESS_DENIED messages in the logs.

>> I set debug level to 10. This is the output -- http://pastebin.com/dfmHqYA7 -- I get in '/var/log/samba/log.' file on the server side when I try to access share as bob on the client machine (and get Permission denied error). There are no ACCESS_DENIED messages in the logs. For the reference - bob's uid/gid are 1002, alice's uid/gid are 1001.

> Hmmm. Might be a client bug. It's only doing
> a smbd_do_qfilepathinfo: SMB_QUERY_FILE_UNIX_BASIC
> call to check if it can cd into the directory,
> instead of a SMB_QUERY_POSIX_ACL: trans2
> request.

> Pinging Steve French...

By the way of trial and error I seem to find the setup that allows bob to have read-write access on 
the share, but in somewhat lame way.

First bob's uid must be used with mount options:

mount -t cifs -o username=bob,password=pass,uid=1002 // /mnt/smbshare

Second - owner's file mode bits on directory must match or exceed those that set for other user using acls. 
That is if bob has full rwx permissions on directory (via acl), but owner's bits are r-x, than bob won't
have rwx, but r-x permissions on the directory. As soon as I change shared directory's owner's
(alice in this case) permissions to rwx, bob gets full permissions as well (I have to re-login).

Also if I then try to access the share as alice I get read-only access for the share (though
now alice has rwx perimssions as directory owner). Things like 'touch file.txt' or
'echo "I am alice" > file.txt' return Permission denied error and create an empty file.

That is weird and illogical behavior. I would appreciate if someone can explain me why it works this 
way and if it should work this way.

For the reference the version number as returned 'mount.cifs -V' is 6.2

More information about the samba mailing list