[Samba] ACL ignored on cifs mounted share

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 23 02:19:44 MST 2015 

On 23/01/15 07:34, Norbert Heinzelmann wrote:
>
> Am 22.01.2015 um 17:17 schrieb Rowland Penny:
>> On 22/01/15 12:57, Norbert Heinzelmann wrote:
>>> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>>>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>>>> Hello,
>>>>>
>>>>> I have the problem that the ACLs are ignored when I mount a share 
>>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also 
>>>>> tried it with Gentoo and samba 4.1.14). So I joined a member 
>>>>> server like the wiki describes. Everything works fine. I can 
>>>>> manage the users and permissions with the RSAT tools. For the 
>>>>> linux side I use rfc2307 and winbind on the member. So every user 
>>>>> and group has a uid and gid. I can login at the member server, but 
>>>>> when I try to access a shared folder it failed with permission 
>>>>> denied. Here is the output, I hope this helps to understand the 
>>>>> problem:
>>>>>
>>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>>>> /data/studis -o user=klaus,sec=krb5
>>>>> mount.cifs kernel mount options: 
>>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** 
>>>>>
>>>>> root at client9:/home/testsamba# getfacl /data/studis/
>>>>> getfacl: Entferne führende '/' von absoluten Pfadnamen
>>>>> # file: data/studis/
>>>>> # owner: root
>>>>> # group: root
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> user:klaus:rwx
>>>>> group::r-x
>>>>> group:root:r-x
>>>>> group:rt:rwx
>>>>> group:studis:rwx
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:user:klaus:rwx
>>>>> default:group::r-x
>>>>> default:group:root:r-x
>>>>> default:group:rt:rwx
>>>>> default:group:studis:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> root at client9:/home/testsamba# su klaus
>>>>> klaus at client9:/home/testsamba$ id
>>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>>>
>>>>> I dont understand, why it is not working. My questions are: Should 
>>>>> it work? Is it a bug or is it a problem in configuration?
>>>>>
>>>>
>>>> OK, this appears to be a Unix problem, the user on the client 
>>>> cannot 'cd' into another dir, this really has nothing to do with cifs.
>>>>
>>>> What does ls -la /data show ?
>>>>
>>>> Rowland
>>>>
>>>>
>>> Hello Rowland,
>>>
>>> while my tests I set up a member server that shares a folder, so I 
>>> can login as AD user. At this member server I could access the 
>>> folder (local). But if I mount the same folder to another member it 
>>> did not work. Thats why I dont think its a Unix problem but maybe I 
>>> misunterstood something.
>>>
>>> ls -la says
>>> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>>>
>>>
>>>
>>> Norbert
>>
>> OK, it is a bit since I last mounted a dir from one linux machine to 
>> another, so I had to refresh my memory by doing it again :-)
>>
>> Here is what I did, (I actually mounted my home dir on my laptop to 
>> another machine)
>>
>> The share in smb.conf on my laptop is simply this:
>>
>> [homes]
>>         comment = Home Directories
>>         browseable = no
>>         read only = no
>>
>> I created a new user on the DC:
>> samba-tool user add cifsuser
>> Gave 'cifsuser' a uidNumber and gidNumber
>>
>> Next on the client:
>>
>> Extract and merge a keytab:
>> cd /etc
>> ktutil
>> ktutil:  add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e 
>> arcfour-hmac
>> Password for cifsuser at EXAMPLE.COM:
>> ktutil:  wkt cifs.keytab
>> ktutil:  rkt krb5.keytab
>> ktutil:  rkt cifs.keytab
>> ktutil:  wkt krb5.keytab
>> ktutil:  quit
>>
>> Restarted samba & winbind to make sure that everything was correct.
>>
>> Now I had the keytab, I tried to mount my homedir:
>>
>> mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o 
>> sec=krb5,username=cifsuser,multiuser
>>
>> root at test2:~# ls -la /mnt
>> total 16388
>> drwxr-xr-x  49 rowland  domain_users      0 Jan 19 18:25 .
>> drwxr-xr-x  24 root     root           4096 Jan 22 11:30 ..
>> drwx------   3 rowland  domain_users      0 Aug 12 18:35 .adobe
>> -rw-------   1 rowland  domain_users  14416 Jan 22 10:55 .bash_history
>> -rw-r--r--   1 rowland  domain_users    220 Aug 12 16:35 .bash_logout
>> drwx------  12 rowland  domain_users      0 Jan  8 09:31 .cache
>> drwxr-xr-x  23 rowland  domain_users      0 Nov 24 09:55 .config
>> drwx------   3 rowland  domain_users      0 Aug 12 16:35 .dbus
>> drwxr-xr-x   4 rowland  domain_users      0 Jul 15  2014 dc5
>> drwxr-xr-x   2 rowland  domain_users      0 Aug 12 16:35 Desktop
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> and so on.
>>
>> So it works for me.
>>
>> Rowland
>
> Thank you very much for all your efforts, but I think we talk at 
> cross-purposes. What you wrote worked fro me too, but this isn't the 
> problem. The question is why extended acls (the "+" sign) only working 
> at the server and not at the client that mounts the share with cifs. I 
> can ask them with getfacl on both sides, they will be showed 
> correctly, but they will be ignored at the client. That's the point, 
> it seems that these rights are not transferred to the client.
>
> Norbert
> **
>
>

If you connect to a Samba share from a windows client it will honour any 
ACL's (the + sign) set on the share because that is what it expects to find.

If you login to the computer, the user is now a Unix user and will 
ignore the ACL's and use the Unix acl's (rwx) because that is what it 
expects to find.

So as I said:

WINDOWS USER = ACL

UNIX USER= acl

Rowland

More information about the samba mailing list