[Samba] ACL ignored on cifs mounted share

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 23 02:46:06 MST 2015 

On 23/01/15 09:30, Norbert Heinzelmann wrote:
> Am 23.01.2015 um 10:19 schrieb Rowland Penny:
>> On 23/01/15 07:34, Norbert Heinzelmann wrote:
>>>
>>> Am 22.01.2015 um 17:17 schrieb Rowland Penny:
>>>> On 22/01/15 12:57, Norbert Heinzelmann wrote:
>>>>> Am 22.01.2015 um 12:28 schrieb Rowland Penny:
>>>>>> On 22/01/15 10:53, Norbert Heinzelmann wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have the problem that the ACLs are ignored when I mount a 
>>>>>>> share via cifs. I have an AD with Samba 4.1.6 Ubuntu 14.04 (but 
>>>>>>> I also tried it with Gentoo and samba 4.1.14). So I joined a 
>>>>>>> member server like the wiki describes. Everything works fine. I 
>>>>>>> can manage the users and permissions with the RSAT tools. For 
>>>>>>> the linux side I use rfc2307 and winbind on the member. So every 
>>>>>>> user and group has a uid and gid. I can login at the member 
>>>>>>> server, but when I try to access a shared folder it failed with 
>>>>>>> permission denied. Here is the output, I hope this helps to 
>>>>>>> understand the problem:
>>>>>>>
>>>>>>> root at client9:/home/testsamba# mount -vt cifs //server1/studis 
>>>>>>> /data/studis -o user=klaus,sec=krb5
>>>>>>> mount.cifs kernel mount options: 
>>>>>>> ip=192.168.170.1,unc=\\server1\studis,sec=krb5,user=klaus,pass=******** 
>>>>>>>
>>>>>>> root at client9:/home/testsamba# getfacl /data/studis/
>>>>>>> getfacl: Entferne führende '/' von absoluten Pfadnamen
>>>>>>> # file: data/studis/
>>>>>>> # owner: root
>>>>>>> # group: root
>>>>>>> user::rwx
>>>>>>> user:root:rwx
>>>>>>> user:klaus:rwx
>>>>>>> group::r-x
>>>>>>> group:root:r-x
>>>>>>> group:rt:rwx
>>>>>>> group:studis:rwx
>>>>>>> mask::rwx
>>>>>>> other::---
>>>>>>> default:user::rwx
>>>>>>> default:user:root:rwx
>>>>>>> default:user:klaus:rwx
>>>>>>> default:group::r-x
>>>>>>> default:group:root:r-x
>>>>>>> default:group:rt:rwx
>>>>>>> default:group:studis:rwx
>>>>>>> default:mask::rwx
>>>>>>> default:other::---
>>>>>>>
>>>>>>> root at client9:/home/testsamba# su klaus
>>>>>>> klaus at client9:/home/testsamba$ id
>>>>>>> uid=10000(klaus) gid=10000(rt) Gruppen=10000(rt)
>>>>>>> klaus at client9:/home/testsamba$ cd /data/studis/
>>>>>>> bash: cd: /data/studis/: Keine Berechtigung (permission denied)
>>>>>>>
>>>>>>> I dont understand, why it is not working. My questions are: 
>>>>>>> Should it work? Is it a bug or is it a problem in configuration?
>>>>>>>
>>>>>>
>>>>>> OK, this appears to be a Unix problem, the user on the client 
>>>>>> cannot 'cd' into another dir, this really has nothing to do with 
>>>>>> cifs.
>>>>>>
>>>>>> What does ls -la /data show ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> Hello Rowland,
>>>>>
>>>>> while my tests I set up a member server that shares a folder, so I 
>>>>> can login as AD user. At this member server I could access the 
>>>>> folder (local). But if I mount the same folder to another member 
>>>>> it did not work. Thats why I dont think its a Unix problem but 
>>>>> maybe I misunterstood something.
>>>>>
>>>>> ls -la says
>>>>> drwxrwx---+  2 root root    0 Jan 19 15:59 studis
>>>>>
>>>>>
>>>>>
>>>>> Norbert
>>>>
>>>> OK, it is a bit since I last mounted a dir from one linux machine 
>>>> to another, so I had to refresh my memory by doing it again :-)
>>>>
>>>> Here is what I did, (I actually mounted my home dir on my laptop to 
>>>> another machine)
>>>>
>>>> The share in smb.conf on my laptop is simply this:
>>>>
>>>> [homes]
>>>>         comment = Home Directories
>>>>         browseable = no
>>>>         read only = no
>>>>
>>>> I created a new user on the DC:
>>>> samba-tool user add cifsuser
>>>> Gave 'cifsuser' a uidNumber and gidNumber
>>>>
>>>> Next on the client:
>>>>
>>>> Extract and merge a keytab:
>>>> cd /etc
>>>> ktutil
>>>> ktutil:  add_entry -password -p cifsuser at EXAMPLE.COM -k 1 -e 
>>>> arcfour-hmac
>>>> Password for cifsuser at EXAMPLE.COM:
>>>> ktutil:  wkt cifs.keytab
>>>> ktutil:  rkt krb5.keytab
>>>> ktutil:  rkt cifs.keytab
>>>> ktutil:  wkt krb5.keytab
>>>> ktutil:  quit
>>>>
>>>> Restarted samba & winbind to make sure that everything was correct.
>>>>
>>>> Now I had the keytab, I tried to mount my homedir:
>>>>
>>>> mount -t cifs //<MEMBER_SERVER_HOSTNAME>/<SHARE_NAME> /mnt -o 
>>>> sec=krb5,username=cifsuser,multiuser
>>>>
>>>> root at test2:~# ls -la /mnt
>>>> total 16388
>>>> drwxr-xr-x  49 rowland  domain_users      0 Jan 19 18:25 .
>>>> drwxr-xr-x  24 root     root           4096 Jan 22 11:30 ..
>>>> drwx------   3 rowland  domain_users      0 Aug 12 18:35 .adobe
>>>> -rw-------   1 rowland  domain_users  14416 Jan 22 10:55 .bash_history
>>>> -rw-r--r--   1 rowland  domain_users    220 Aug 12 16:35 .bash_logout
>>>> drwx------  12 rowland  domain_users      0 Jan  8 09:31 .cache
>>>> drwxr-xr-x  23 rowland  domain_users      0 Nov 24 09:55 .config
>>>> drwx------   3 rowland  domain_users      0 Aug 12 16:35 .dbus
>>>> drwxr-xr-x   4 rowland  domain_users      0 Jul 15  2014 dc5
>>>> drwxr-xr-x   2 rowland  domain_users      0 Aug 12 16:35 Desktop
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> and so on.
>>>>
>>>> So it works for me.
>>>>
>>>> Rowland
>>>
>>> Thank you very much for all your efforts, but I think we talk at 
>>> cross-purposes. What you wrote worked fro me too, but this isn't the 
>>> problem. The question is why extended acls (the "+" sign) only 
>>> working at the server and not at the client that mounts the share 
>>> with cifs. I can ask them with getfacl on both sides, they will be 
>>> showed correctly, but they will be ignored at the client. That's the 
>>> point, it seems that these rights are not transferred to the client.
>>>
>>> Norbert
>>> **
>>>
>>>
>>
>> If you connect to a Samba share from a windows client it will honour 
>> any ACL's (the + sign) set on the share because that is what it 
>> expects to find.
>>
>> If you login to the computer, the user is now a Unix user and will 
>> ignore the ACL's and use the Unix acl's (rwx) because that is what it 
>> expects to find.
>>
>> So as I said:
>>
>> WINDOWS USER = ACL
>>
>> UNIX USER= acl
>>
>> Rowland
> Thanks. So this the default behaviour. Are there any plans to 
> implement the possibility of using ACL's under unix? Because I saw 
> that cifs mount has an option "cifsacl" or is this a totally different 
> feature?
>
>

Yes, that is another way of doing, a way I have never tried and 
something I am not sure is fully working yet.

Rowland

More information about the samba mailing list