[Samba] ACL ignored on cifs mounted share

Norbert Heinzelmann N.Heinzelmann at rt.tu-cottbus.de
Thu Jan 22 06:17:36 MST 2015

Am 22.01.2015 um 13:14 schrieb Rowland Penny:
> On 22/01/15 11:52, Norbert Heinzelmann wrote:
>> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>>> Hello,
>>>> I have the problem that the ACLs are ignored when I mount a share 
>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also 
>>>> tried it with Gentoo and samba 4.1.14). So I joined a member server 
>>>> like the wiki describes. Everything works fine. I can manage the 
>>>> users and permissions with the RSAT tools. For the linux side I use 
>>>> rfc2307 and winbind on the member. So every user and group has a 
>>>> uid and gid. I can login at the member server, but when I try to 
>>>> access a shared folder it failed with permission denied. Here is 
>>>> the output, I hope this helps to understand the problem:
>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>>> /data/studis -o user=klaus,sec=krb5
>>>> mount.cifs kernel mount options: 
>>>> ip=,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** 
>>>> root at client9:/home/testsamba# getfacl /data/studis/
>>>> getfacl: Entferne führende '/' von absoluten Pfadnamen
>>>> # file: data/studis/
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:root:rwx
>>>> user:klaus:rwx
>>>> group::r-x
>>>> group:root:r-x
>>>> group:rt:rwx
>>>> group:studis:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:klaus:rwx
>>>> default:group::r-x
>>>> default:group:root:r-x
>>>> default:group:rt:rwx
>>>> default:group:studis:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>> root at client9:/home/testsamba# su klaus
>>>> klaus at client9:/home/testsamba$ id
>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>> I dont understand, why it is not working. My questions are: Should 
>>>> it work? Is it a bug or is it a problem in configuration?
>>> OK, this appears to be a Unix problem, the user on the client cannot 
>>> 'cd' into another dir, this really has nothing to do with cifs.
>>> What does ls -la /data show ?
>>> Rowland
>> Hello Rowland,
>> while my tests I set up a member server that shares a folder, so  I 
>> can login as AD user. At this member server I could access the folder 
>> (local). But if I mount the same folder to another member it did not 
>> work. Thats why I dont think its a Unix problem but maybe I 
>> misunterstood something.
>> ls -la says
>> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>> Norbert
> No it didn't, it probably said something like:
> drwxr-x---  3 root root 4096 Jan 22 11:18 .
> drwxr-xr-x 26 root root 4096 Jan 22 11:18 ..
> drwxr-xr--  2 root root 4096 Jan 22 11:18 studis
You are right. I cut the rest.
> But anyway working from what you posted 'drwxrwx---+'
> The 'd' means it is a directory
> The first 'rwx' means that the owner 'root' can read, write and enter 
> the directory
> The second 'rwx' means that members of the 'root' group can read, 
> write and enter the directory
> The last '---' means that others cannot read, write or enter the directory
> The '+' means that there are ACL's on the directory
And I mean these ACL's, as I showed in my first post, the user klaus has 
rwx rights on this folder. And he is also in the group rt which has rwx 
rights too. When I access this folder locally it works, only the cifs 
mounted folder doesn't use the ACL's. That is what I don't understand.
> Now unless  'klaus' is a member of the 'root' group, he will not be 
> able to 'cd' into the directory at the Unix level. Try changing the 
> setting with 'chmod -R o+x /data'
When I change the owner, shure it works. But I want to use  ACL's.
> Rowland

More information about the samba mailing list