[Samba] Does Samba 4 actually respect Unix file acls?

Nico Kadel-Garcia nkadel at gmail.com
Sat Dec 20 18:42:11 MST 2014 

On Fri, Dec 19, 2014 at 12:47 PM, Rufe Glick <rufe.glick at gmail.com> wrote:
> Hello,
>
> After researching the subject on the internet I concluded that Samba should take into account Unix file acls. During my tests I found the opposite. Only Unix file mode bits are respected, and file acls are ignored. If my initial assumption is correct and Samba do respect Unix file acls, then I am doing something wrong. Please see the setup below and point to what I am doing wrong.

I'm sorry, but exactly which set of "file acl's" are you referring to?
NFS v4, prehaps or Linux availaility? CIFS ACL's? Because I've got to
warn you, I pursued getting NFS, and CIFS clients to work well with
Samba and Netapps, with Linux and Windows clients, and it was a
clusterfutz to manage. RHEL didn't include decent GUI's to manage
NFSv4 ACL's, the are profound hierarchy differences between CIFS and
NFSv4, and the edge cases were nightmarish.

Frankly, for most environments, the POSIX permissions are not only
vastly simpler, but the software compatibly is so much simpler as to
help make the code more stable and thus safer. I remember even Jeremy
Allison referring to the NFSv4 code in Samba as spaghetti code.

> Distribution and Samba version in use: Centos Linux 7; Samba 4.1.1

OK, right htere you've bot a problem. Samba is up to version 4.1.14,
even though RHEL and thus CentOS have never included a significant
version update since 4.1.1.

If you feel the need, feel free to work with my tools at
https://github.com/nkadel/samba4repo to get up to samba-4.1.14 or
work with ther serfnet repo. I use the build options to include the
internal Heimdal version of Kerberos, and thus include full samba-dc
packages. You might enjoy them, and I'd personally appreciate CentOS 7
testing. I'm working primarily with CentOS 6 right now, and haven't
really tested it out iin CentOS 7.


> ##### Server
>
> # Create Linux users
> useradd alice
> useradd bob
>
> # Create a directory to be shared; set ro permissions for alice using \
> # file mode bits and rw permissions for bob using file acls
> mkdir /home/smbshare
> chown alice:alice /home/smbshare
> chmod 0500 /home/smbshare

You really want  2770 for POSIX permission support. I think it's just
going to Work Much Better For You(tm).

Also, if you keep in mind that it POSIX permissions are a form of
ACL,, and tools like the CIFS protocols and NFSv4 have their own
protocols, and these are also inherent *to the  underlying file
system*, you'll be able to understand better that Samba is limited by
the underlying file system.

> setfacl -m u:bob:rwx /home/smbshare
> setfacl -m m:rwx /home/smbshare
>
> # Create a file for testing purposes
> echo 'Hello world!' > /home/smbshare/test.txt
>
> # Add users to Samba database
> pdbedit -a -u alice
> pdbedit -a -u bob
>
> # Define share in smb.conf and restart the smb daemon
> vim /etc/samba/smb.conf
>     comment = smbshare for alice(ro) and bob(rw)
>     path = /home/smbshare
>     browseable = yes
>     writeable = yes
>     valid users = alice bob
>
> systemctl reload smb
>
> # Set the SELinux permissions and open samba on firewall
> chcon -R -t samba_share_t /home/smbshare
>
> firewall-cmd --add-service=samba --permanent
> firewall-cmd --reload

SELinux has to live on top of of, and add restrictions on top of, the
underlying file system. If the underlying file system blocks access,
such as you're seeing with local file system, and POSIX, you're going
to be SOL for other more sophisticated ACL's.

If I may sugest, don't try get too clever with this. Use the POSIX,
and review how you can use simple POSIX groups instead of getting cute
with this. This will allow simple UNIX tools like "tar"  to work well,
without having to remember to use "star" to get the extra SELinux
permissions.

> ##### Client
>
> # Create Linux users
> useradd alice
> useradd bob
>
> # Mount the remote Samba share
> mkdir /mnt/smbshare
> mount -t cifs -o username=alice,password=pass //192.168.1.112/smbshare /mnt/smbshare
>
> # Now test the permissions
> su - alice
> cd /mnt/smbshare
> cat test.txt        # shows the contents of test.txt, as expected
> echo 'I am alice' > test2.txt   # permission denied, as expected
> exit
>
> su - bob
> cd /mnt/smbshare    # permission denied -- ???? NOT AS EXPECTED
> exit
>
> # I think it doesn't matter under which user to mount, but just to be sure \
> # I tried to mount using bob's credentials
> umount /mnt/smbshare
> mount -t cifs -o username=bob,password=pass //192.168.1.112/smbshare /mnt/smbshare
>
> # After checking actual permissions I got the same results as above: \
> # alice have read-only permissions (as expected), bob have no access (NOT as expected)
>
> --
> Best regards,
> Rufe
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list