[Samba] ACL ignored on cifs mounted share

Norbert Heinzelmann N.Heinzelmann at rt.tu-cottbus.de
Thu Jan 22 07:44:52 MST 2015 

Am 22.01.2015 um 13:37 schrieb Rowland Penny:
> On 22/01/15 12:22, Norbert Heinzelmann wrote:
>> Am 22.01.2015 um 13:14 schrieb Rowland Penny:
>>> On 22/01/15 11:52, Norbert Heinzelmann wrote:
>>>> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>>>>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have the problem that the ACLs are ignored when I mount a share 
>>>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also 
>>>>>> tried it with Gentoo and samba 4.1.14). So I joined a member 
>>>>>> server like the wiki describes. Everything works fine. I can 
>>>>>> manage the users and permissions with the RSAT tools. For the 
>>>>>> linux side I use rfc2307 and winbind on the member. So every user 
>>>>>> and group has a uid and gid. I can login at the member server, 
>>>>>> but when I try to access a shared folder it failed with 
>>>>>> permission denied. Here is the output, I hope this helps to 
>>>>>> understand the problem:
>>>>>>
>>>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>>>>> /data/studis -o user=klaus,sec=krb5
>>>>>> mount.cifs kernel mount options: 
>>>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** 
>>>>>>
>>>>>> root at client9:/home/testsamba# getfacl /data/studis/
>>>>>> getfacl: Entferne führende '/' von absoluten Pfadnamen
>>>>>> # file: data/studis/
>>>>>> # owner: root
>>>>>> # group: root
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> user:klaus:rwx
>>>>>> group::r-x
>>>>>> group:root:r-x
>>>>>> group:rt:rwx
>>>>>> group:studis:rwx
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:user:klaus:rwx
>>>>>> default:group::r-x
>>>>>> default:group:root:r-x
>>>>>> default:group:rt:rwx
>>>>>> default:group:studis:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>> root at client9:/home/testsamba# su klaus
>>>>>> klaus at client9:/home/testsamba$ id
>>>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>>>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>>>>
>>>>>> I dont understand, why it is not working. My questions are: 
>>>>>> Should it work? Is it a bug or is it a problem in configuration?
>>>>>>
>>>>>
>>>>> OK, this appears to be a Unix problem, the user on the client 
>>>>> cannot 'cd' into another dir, this really has nothing to do with 
>>>>> cifs.
>>>>>
>>>>> What does ls -la /data show ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> Hello Rowland,
>>>>
>>>> while my tests I set up a member server that shares a folder, so  I 
>>>> can login as AD user. At this member server I could access the 
>>>> folder (local). But if I mount the same folder to another member it 
>>>> did not work. Thats why I dont think its a Unix problem but maybe I 
>>>> misunterstood something.
>>>>
>>>> ls -la says
>>>> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>>>>
>>>>
>>>>
>>>> Norbert
>>>
>>> No it didn't, it probably said something like:
>>>
>>> drwxr-x---  3 root root 4096 Jan 22 11:18 .
>>> drwxr-xr-x 26 root root 4096 Jan 22 11:18 ..
>>> drwxr-xr--  2 root root 4096 Jan 22 11:18 studis
>>>
>> You are right. I cut the rest.
>>> But anyway working from what you posted 'drwxrwx---+'
>>> The 'd' means it is a directory
>>> The first 'rwx' means that the owner 'root' can read, write and 
>>> enter the directory
>>> The second 'rwx' means that members of the 'root' group can read, 
>>> write and enter the directory
>>> The last '---' means that others cannot read, write or enter the 
>>> directory
>>> The '+' means that there are ACL's on the directory
>>>
>> And I mean these ACL's, as I showed in my first post, the user klaus 
>> has rwx rights on this folder. And he is also in the group rt which 
>> has rwx rights too. When I access this folder locally it works, only 
>> the cifs mounted folder doesn't use the ACL's. That is what I don't 
>> understand.
>>> Now unless  'klaus' is a member of the 'root' group, he will not be 
>>> able to 'cd' into the directory at the Unix level. Try changing the 
>>> setting with 'chmod -R o+x /data'
>>>
>> When I change the owner, shure it works. But I want to use ACL's.
>>> Rowland
>> Norbert
>
> ACL's = WINDOWS
> acl's = UNIX
>
> When 'klaus' tries to 'cd' he will use acl's, so at the Unix level he 
> needs access.
>
> Try having a look here: 
> http://linuxcostablanca.blogspot.co.uk/2013/05/samba-3615-file-server-for-samba-406-ad.html
>
> It may give you the required hints.
>
> Rowland
>
It didn't help me. When I try with i.e. with force group, I get an 
input/output error when I try to mount the share.

Norbert

More information about the samba mailing list