[Samba] Does Samba 4 actually respect Unix file acls?

Rufe Glick rufe.glick at gmail.com
Sat Dec 20 13:17:36 MST 2014

Hello Steve,

Friday, December 19, 2014, 10:13:47 PM, you wrote:

> On Dec 19, 2014 9:05 PM, "Rufe Glick" <rufe.glick at gmail.com> wrote:

>> Hello Jeremy,

>> Friday, December 19, 2014, 7:00:06 PM, you wrote:

>> > On Fri, Dec 19, 2014 at 06:31:33PM -0500, Rufe Glick wrote:
>> >> Hello Jeremy,

>> >> Friday, December 19, 2014, 4:55:21 PM, you wrote:

>> >> > On Fri, Dec 19, 2014 at 03:58:58PM -0500, Rufe Glick wrote:
>> >> >> Hello Jeremy,

>> >> >> > Do alice and bob have the same user ids on client
>> >> >> > and server ?

>> >> >> Yes, the uids and gids are identical on both server and client machines.

>> >> > Then it should work. Set debug level 10 on the smbd
>> >> > and look for ACCESS_DENIED messages in the logs.

>> >> I set debug level to 10. This is the output -- http://pastebin.com/dfmHqYA7-- I get in '/var/log/samba/log.' file on the server side when I try to access share as bob on the client machine (and get Permission denied error). There are no ACCESS_DENIED messages in the logs. For the reference - bob's uid/gid are 1002, alice's uid/gid are 1001.

>> > Hmmm. Might be a client bug. It's only doing
>> > a smbd_do_qfilepathinfo: SMB_QUERY_FILE_UNIX_BASIC
>> > call to check if it can cd into the directory,
>> > instead of a SMB_QUERY_POSIX_ACL: trans2
>> > request.

>> > Pinging Steve French...

>> By the way of trial and error I seem to find the setup that allows bob to have read-write access on
>> the share, but in somewhat lame way.

>> First bob's uid must be used with mount options:

>> mount -t cifs -o username=bob,password=pass,uid=1002 //

>> Second - owner's file mode bits on directory must match or exceed those that set for other user using acls.
>> That is if bob has full rwx permissions on directory (via acl), but owner's bits are r-x, than bob won't
>> have rwx, but r-x permissions on the directory. As soon as I change shared directory's owner's
>> (alice in this case) permissions to rwx, bob gets full permissions as well (I have to re-login).

>> Also if I then try to access the share as alice I get read-only access for the share (though
>> now alice has rwx perimssions as directory owner). Things like 'touch file.txt' or
>> 'echo "I am alice" > file.txt' return Permission denied error and create an empty file.

>> That is weird and illogical behavior. I would appreciate if someone can explain me why it works this
>> way and if it should work this way.

>> For the reference the version number as returned 'mount.cifs -V' is 6.2

>  Have you tried mounting with noperm (and also tried multiuser mounts)?

I  tried  mounting  with  noperm option as you suggested. The resulted
mount  does  take  into  account the Unix acl permissions. But in this
case  credentials become shared among all users of the client machine.
That  is  if  I  mount  as bob and bob has read-write perms, then all
users  of the client machine will have bob's permissions on the share.
And  if I mount with alice's credentials who has read-only permissions
than  all  users of the client machine will have read-only permissions
on the share as well

I  haven't tried the multiuser option yet. I'll need to figure out how
it works first.

In the end what I'm trying to achieve is having two users on the local
machine   one   of  which  has  read-only  and  the  other  read-write
permissions   on  the  remote Samba share. Other users should not have
access  to  the share. Also the two users should be able to access the
share  without having to remount it (the same Samba credentials should
be used). Is this setup possible?

More information about the samba mailing list