[Samba] ACL ignored on cifs mounted share

Norbert Heinzelmann N.Heinzelmann at rt.tu-cottbus.de
Fri Jan 23 02:30:44 MST 2015


Am 23.01.2015 um 10:19 schrieb Rowland Penny:
> On 23/01/15 07:34, Norbert Heinzelmann wrote:
>>
>> Am 22.01.2015 um 17:17 schrieb Rowland Penny:
>>> On 22/01/15 12:57, Norbert Heinzelmann wrote:
>>>> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>>>>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have the problem that the ACLs are ignored when I mount a share 
>>>>>> via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but I also 
>>>>>> tried it with Gentoo and samba 4.1.14). So I joined a member 
>>>>>> server like the wiki describes. Everything works fine. I can 
>>>>>> manage the users and permissions with the RSAT tools. For the 
>>>>>> linux side I use rfc2307 and winbind on the member. So every user 
>>>>>> and group has a uid and gid. I can login at the member server, 
>>>>>> but when I try to access a shared folder it failed with 
>>>>>> permission denied. Here is the output, I hope this helps to 
>>>>>> understand the problem:
>>>>>>
>>>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>>>>> /data/studis -o user=klaus,sec=krb5
>>>>>> mount.cifs kernel mount options: 
>>>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** 
>>>>>>
>>>>>> root at client9:/home/testsamba# getfacl /data/studis/
>>>>>> getfacl: Entferne führende '/' von absoluten Pfadnamen
>>>>>> # file: data/studis/
>>>>>> # owner: root
>>>>>> # group: root
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> user:klaus:rwx
>>>>>> group::r-x
>>>>>> group:root:r-x
>>>>>> group:rt:rwx
>>>>>> group:studis:rwx
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:user:klaus:rwx
>>>>>> default:group::r-x
>>>>>> default:group:root:r-x
>>>>>> default:group:rt:rwx
>>>>>> default:group:studis:rwx
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>> root at client9:/home/testsamba# su klaus
>>>>>> klaus at client9:/home/testsamba$ id
>>>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>>>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>>>>
>>>>>> I dont understand, why it is not working. My questions are: 
>>>>>> Should it work? Is it a bug or is it a problem in configuration?
>>>>>>
>>>>>
>>>>> OK, this appears to be a Unix problem, the user on the client 
>>>>> cannot 'cd' into another dir, this really has nothing to do with 
>>>>> cifs.
>>>>>
>>>>> What does ls -la /data show ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> Hello Rowland,
>>>>
>>>> while my tests I set up a member server that shares a folder, so I 
>>>> can login as AD user. At this member server I could access the 
>>>> folder (local). But if I mount the same folder to another member it 
>>>> did not work. Thats why I dont think its a Unix problem but maybe I 
>>>> misunterstood something.
>>>>
>>>> ls -la says
>>>> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>>>>
>>>>
>>>>
>>>> Norbert
>>>
>>> OK, it is a bit since I last mounted a dir from one linux machine to 
>>> another, so I had to refresh my memory by doing it again :-)
>>>
>>> Here is what I did, (I actually mounted my home dir on my laptop to 
>>> another machine)
>>>
>>> The share in smb.conf on my laptop is simply this:
>>>
>>> [homes]
>>>         comment = Home Directories
>>>         browseable = no
>>>         read only = no
>>>
>>> I created a new user on the DC:
>>> samba-tool user add cifsuser
>>> Gave 'cifsuser' a uidNumber and gidNumber
>>>
>>> Next on the client:
>>>
>>> Extract and merge a keytab:
>>> cd /etc
>>> ktutil
>>> ktutil:  add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e 
>>> arcfour-hmac
>>> Password for cifsuser at EXAMPLE.COM:
>>> ktutil:  wkt cifs.keytab
>>> ktutil:  rkt krb5.keytab
>>> ktutil:  rkt cifs.keytab
>>> ktutil:  wkt krb5.keytab
>>> ktutil:  quit
>>>
>>> Restarted samba & winbind to make sure that everything was correct.
>>>
>>> Now I had the keytab, I tried to mount my homedir:
>>>
>>> mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o 
>>> sec=krb5,username=cifsuser,multiuser
>>>
>>> root at test2:~# ls -la /mnt
>>> total 16388
>>> drwxr-xr-x  49 rowland  domain_users      0 Jan 19 18:25 .
>>> drwxr-xr-x  24 root     root           4096 Jan 22 11:30 ..
>>> drwx------   3 rowland  domain_users      0 Aug 12 18:35 .adobe
>>> -rw-------   1 rowland  domain_users  14416 Jan 22 10:55 .bash_history
>>> -rw-r--r--   1 rowland  domain_users    220 Aug 12 16:35 .bash_logout
>>> drwx------  12 rowland  domain_users      0 Jan  8 09:31 .cache
>>> drwxr-xr-x  23 rowland  domain_users      0 Nov 24 09:55 .config
>>> drwx------   3 rowland  domain_users      0 Aug 12 16:35 .dbus
>>> drwxr-xr-x   4 rowland  domain_users      0 Jul 15  2014 dc5
>>> drwxr-xr-x   2 rowland  domain_users      0 Aug 12 16:35 Desktop
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> and so on.
>>>
>>> So it works for me.
>>>
>>> Rowland
>>
>> Thank you very much for all your efforts, but I think we talk at 
>> cross-purposes. What you wrote worked fro me too, but this isn't the 
>> problem. The question is why extended acls (the "+" sign) only 
>> working at the server and not at the client that mounts the share 
>> with cifs. I can ask them with getfacl on both sides, they will be 
>> showed correctly, but they will be ignored at the client. That's the 
>> point, it seems that these rights are not transferred to the client.
>>
>> Norbert
>> **
>>
>>
>
> If you connect to a Samba share from a windows client it will honour 
> any ACL's (the + sign) set on the share because that is what it 
> expects to find.
>
> If you login to the computer, the user is now a Unix user and will 
> ignore the ACL's and use the Unix acl's (rwx) because that is what it 
> expects to find.
>
> So as I said:
>
> WINDOWS USER = ACL
>
> UNIX USER= acl
>
> Rowland
Thanks. So this the default behaviour. Are there any plans to implement 
the possibility of using ACL's under unix? Because I saw that cifs mount 
has an option "cifsacl" or is this a totally different feature?


More information about the samba mailing list