[Samba] ACL ignored on cifs mounted share

Norbert Heinzelmann N.Heinzelmann at rt.tu-cottbus.de
Fri Jan 23 00:34:31 MST 2015 

Am 22.01.2015 um 17:17 schrieb Rowland Penny:
> On 22/01/15 12:57, Norbert Heinzelmann wrote:
>> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>>> Hello,
>>>>
>>>> I have the problem that the ACLs are ignored when I mount a share 
>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also 
>>>> tried it with Gentoo and samba 4.1.14). So I joined a member server 
>>>> like the wiki describes. Everything works fine. I can manage the 
>>>> users and permissions with the RSAT tools. For the linux side I use 
>>>> rfc2307 and winbind on the member. So every user and group has a 
>>>> uid and gid. I can login at the member server, but when I try to 
>>>> access a shared folder it failed with permission denied. Here is 
>>>> the output, I hope this helps to understand the problem:
>>>>
>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>>> /data/studis -o user=klaus,sec=krb5
>>>> mount.cifs kernel mount options: 
>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** 
>>>>
>>>> root at client9:/home/testsamba# getfacl /data/studis/
>>>> getfacl: Entferne führende '/' von absoluten Pfadnamen
>>>> # file: data/studis/
>>>> # owner: root
>>>> # group: root
>>>> user::rwx
>>>> user:root:rwx
>>>> user:klaus:rwx
>>>> group::r-x
>>>> group:root:r-x
>>>> group:rt:rwx
>>>> group:studis:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:klaus:rwx
>>>> default:group::r-x
>>>> default:group:root:r-x
>>>> default:group:rt:rwx
>>>> default:group:studis:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at client9:/home/testsamba# su klaus
>>>> klaus at client9:/home/testsamba$ id
>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>>
>>>> I dont understand, why it is not working. My questions are: Should 
>>>> it work? Is it a bug or is it a problem in configuration?
>>>>
>>>
>>> OK, this appears to be a Unix problem, the user on the client cannot 
>>> 'cd' into another dir, this really has nothing to do with cifs.
>>>
>>> What does ls -la /data show ?
>>>
>>> Rowland
>>>
>>>
>> Hello Rowland,
>>
>> while my tests I set up a member server that shares a folder, so I 
>> can login as AD user. At this member server I could access the folder 
>> (local). But if I mount the same folder to another member it did not 
>> work. Thats why I dont think its a Unix problem but maybe I 
>> misunterstood something.
>>
>> ls -la says
>> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>>
>>
>>
>> Norbert
>
> OK, it is a bit since I last mounted a dir from one linux machine to 
> another, so I had to refresh my memory by doing it again :-)
>
> Here is what I did, (I actually mounted my home dir on my laptop to 
> another machine)
>
> The share in smb.conf on my laptop is simply this:
>
> [homes]
>         comment = Home Directories
>         browseable = no
>         read only = no
>
> I created a new user on the DC:
> samba-tool user add cifsuser
> Gave 'cifsuser' a uidNumber and gidNumber
>
> Next on the client:
>
> Extract and merge a keytab:
> cd /etc
> ktutil
> ktutil:  add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e arcfour-hmac
> Password for cifsuser at EXAMPLE.COM:
> ktutil:  wkt cifs.keytab
> ktutil:  rkt krb5.keytab
> ktutil:  rkt cifs.keytab
> ktutil:  wkt krb5.keytab
> ktutil:  quit
>
> Restarted samba & winbind to make sure that everything was correct.
>
> Now I had the keytab, I tried to mount my homedir:
>
> mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o 
> sec=krb5,username=cifsuser,multiuser
>
> root at test2:~# ls -la /mnt
> total 16388
> drwxr-xr-x  49 rowland  domain_users      0 Jan 19 18:25 .
> drwxr-xr-x  24 root     root           4096 Jan 22 11:30 ..
> drwx------   3 rowland  domain_users      0 Aug 12 18:35 .adobe
> -rw-------   1 rowland  domain_users  14416 Jan 22 10:55 .bash_history
> -rw-r--r--   1 rowland  domain_users    220 Aug 12 16:35 .bash_logout
> drwx------  12 rowland  domain_users      0 Jan  8 09:31 .cache
> drwxr-xr-x  23 rowland  domain_users      0 Nov 24 09:55 .config
> drwx------   3 rowland  domain_users      0 Aug 12 16:35 .dbus
> drwxr-xr-x   4 rowland  domain_users      0 Jul 15  2014 dc5
> drwxr-xr-x   2 rowland  domain_users      0 Aug 12 16:35 Desktop
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> and so on.
>
> So it works for me.
>
> Rowland

Thank you very much for all your efforts, but I think we talk at 
cross-purposes. What you wrote worked fro me too, but this isn't the 
problem. The question is why extended acls (the "+" sign) only working 
at the server and not at the client that mounts the share with cifs. I 
can ask them with getfacl on both sides, they will be showed correctly, 
but they will be ignored at the client. That's the point, it seems that 
these rights are not transferred to the client.

Norbert
**

More information about the samba mailing list