[Samba] Clients can't write to group-writable files - plea for help
Jeremy Allison
jra at samba.org
Mon Nov 14 23:32:20 UTC 2016
On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
> All,
>
> Apologies for basically bumping my own thread, but I'm absolutely at
> my wits' end trying to figure out this access problem. I've
> replicated the issue with and without NFS being involved. On our old
> 4.0.25 server, users can write to files that they have group-based
> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
> being honored.
Look for an ACCESS_DENIED. Check the token of the smbd
issuing that error. We check the Windows ACL against
the token before allowing the write.
> open_file_ntcreate: fname=logs/foobar, after mapping access_mask=0x20087
> [2016/11/14 11:32:30.009669, 4, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/smbd/open.c:2758(open_fi
> le_ntcreate)
> calling open_file with flags=0x2 flags2=0x0 mode=0744, access_mask
> = 0x20087, open_access_mask = 0x20087
> [2016/11/14 11:32:30.009702, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:3558(posix_get_nt_acl)
> posix_get_nt_acl: called for file logs/foobar
> [2016/11/14 11:32:30.009753, 10, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/passdb/lookup_sid.c:1251
> (uid_to_sid)
> uid 12477 -> sid S-1-22-1-12477
> [2016/11/14 11:32:30.009784, 10, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/passdb/lookup_sid.c:1300
> (gid_to_sid)
> gid 9006 -> sid S-1-22-2-9006
> [2016/11/14 11:32:30.009811, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2724(canonicalise_acl)
> canonicalise_acl: Access ace entries before arrange :
> [2016/11/14 11:32:30.009831, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
> canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r--
> [2016/11/14 11:32:30.009858, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
> canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006
> (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
> [2016/11/14 11:32:30.009981, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
> canon_ace index 2. Type = allow SID = S-1-22-1-12477 uid 12477
> (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
> -
> [2016/11/14 11:32:30.010484, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:848(print_canon_ace_list)
> print_canon_ace_list: canonicalise_acl: ace entries after arrange
> canon_ace index 0. Type = allow SID = S-1-22-1-12477 uid 12477
> (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
> -
> canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006
> (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
> canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r--
>
>
> but I'll admit I'm not sure what I'm looking for.
>
> On 11/10/16 1:13 PM, Josh Malone via samba wrote:
> >Hello,
> >
> >Really stumped on this issue. I have samba 4.4.7 running on a new
> >server. Users cannot write to files to which they have write permissions
> >via group.
> >
> >Example:
> >
> >Here's the local filesystem on the samba server. I'm logged in as jmalone
> >
> >
> >: jmalone at canis; cd /home/www.nrao.edu/content/logs/
> >: jmalone at canis; ls -l
> >total 4
> >-rw-rw-r-- 1 jmalone nraoweb 0 Nov 10 10:02 baz
> >-rw-rw-r-- 1 pmurphy cvweb 0 Nov 10 11:09 foobar
> >: jmalone at canis; touch foobar
> >
> >
> >No problems. Now, let me mount that on my Mac:
> >
> >
> >: jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs
> >: jmalone at agrajag; ls -l
> >total 2
> >-rwx------ 1 jmalone nraocv 0 Nov 10 10:02 baz
> >-rwx------ 1 jmalone nraocv 0 Nov 10 11:09 foobar
> >-rwx------ 1 jmalone nraocv 44 Nov 13 2006 index.html
> >: jmalone at agrajag.cv; touch foobar
> >touch: foobar: Permission denied
> >
> >I can write to 'baz' though.
> >
>
>
> --
> --------------------------------------------------------
> Joshua Malone Systems Administrator
> (jmalone at nrao.edu) NRAO Charlottesville
> 434-296-0263 www.nrao.edu
> 434-249-5699 (mobile)
> --------------------------------------------------------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list