[Samba] ACL ignored on cifs mounted share

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 22 09:17:21 MST 2015 

On 22/01/15 12:57, Norbert Heinzelmann wrote:
> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>> Hello,
>>>
>>> I have the problem that the ACLs are ignored when I mount a share 
>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also 
>>> tried it with Gentoo and samba 4.1.14). So I joined a member server 
>>> like the wiki describes. Everything works fine. I can manage the 
>>> users and permissions with the RSAT tools. For the linux side I use 
>>> rfc2307 and winbind on the member. So every user and group has a uid 
>>> and gid. I can login at the member server, but when I try to access 
>>> a shared folder it failed with permission denied. Here is the 
>>> output, I hope this helps to understand the problem:
>>>
>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>> /data/studis -o user=klaus,sec=krb5
>>> mount.cifs kernel mount options: 
>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=********
>>> root at client9:/home/testsamba# getfacl /data/studis/
>>> getfacl: Entferne führende '/' von absoluten Pfadnamen
>>> # file: data/studis/
>>> # owner: root
>>> # group: root
>>> user::rwx
>>> user:root:rwx
>>> user:klaus:rwx
>>> group::r-x
>>> group:root:r-x
>>> group:rt:rwx
>>> group:studis:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:klaus:rwx
>>> default:group::r-x
>>> default:group:root:r-x
>>> default:group:rt:rwx
>>> default:group:studis:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> root at client9:/home/testsamba# su klaus
>>> klaus at client9:/home/testsamba$ id
>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>
>>> I dont understand, why it is not working. My questions are: Should 
>>> it work? Is it a bug or is it a problem in configuration?
>>>
>>
>> OK, this appears to be a Unix problem, the user on the client cannot 
>> 'cd' into another dir, this really has nothing to do with cifs.
>>
>> What does ls -la /data show ?
>>
>> Rowland
>>
>>
> Hello Rowland,
>
> while my tests I set up a member server that shares a folder, so I can 
> login as AD user. At this member server I could access the folder 
> (local). But if I mount the same folder to another member it did not 
> work. Thats why I dont think its a Unix problem but maybe I 
> misunterstood something.
>
> ls -la says
> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>
>
>
> Norbert

OK, it is a bit since I last mounted a dir from one linux machine to 
another, so I had to refresh my memory by doing it again :-)

Here is what I did, (I actually mounted my home dir on my laptop to 
another machine)

The share in smb.conf on my laptop is simply this:

[homes]
         comment = Home Directories
         browseable = no
         read only = no

I created a new user on the DC:
samba-tool user add cifsuser
Gave 'cifsuser' a uidNumber and gidNumber

Next on the client:

Extract and merge a keytab:
cd /etc
ktutil
ktutil:  add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e arcfour-hmac
Password for cifsuser at EXAMPLE.COM:
ktutil:  wkt cifs.keytab
ktutil:  rkt krb5.keytab
ktutil:  rkt cifs.keytab
ktutil:  wkt krb5.keytab
ktutil:  quit

Restarted samba & winbind to make sure that everything was correct.

Now I had the keytab, I tried to mount my homedir:

mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o 
sec=krb5,username=cifsuser,multiuser

root at test2:~# ls -la /mnt
total 16388
drwxr-xr-x  49 rowland  domain_users      0 Jan 19 18:25 .
drwxr-xr-x  24 root     root           4096 Jan 22 11:30 ..
drwx------   3 rowland  domain_users      0 Aug 12 18:35 .adobe
-rw-------   1 rowland  domain_users  14416 Jan 22 10:55 .bash_history
-rw-r--r--   1 rowland  domain_users    220 Aug 12 16:35 .bash_logout
drwx------  12 rowland  domain_users      0 Jan  8 09:31 .cache
drwxr-xr-x  23 rowland  domain_users      0 Nov 24 09:55 .config
drwx------   3 rowland  domain_users      0 Aug 12 16:35 .dbus
drwxr-xr-x   4 rowland  domain_users      0 Jul 15  2014 dc5
drwxr-xr-x   2 rowland  domain_users      0 Aug 12 16:35 Desktop
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
and so on.

So it works for me.

Rowland

More information about the samba mailing list