[Samba] Clients can't write to group-writable files - plea for help

Jeremy Allison jra at samba.org
Mon Nov 14 23:32:20 UTC 2016


On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
> All,
> 
> Apologies for basically bumping my own thread, but I'm absolutely at
> my wits' end trying to figure out this access problem. I've
> replicated the issue with and without NFS being involved. On our old
> 4.0.25 server, users can write to files that they have group-based
> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
> being honored.


Look for an ACCESS_DENIED. Check the token of the smbd
issuing that error. We check the Windows ACL against
the token before allowing the write.


>   open_file_ntcreate: fname=logs/foobar, after mapping access_mask=0x20087
> [2016/11/14 11:32:30.009669,  4, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/smbd/open.c:2758(open_fi
> le_ntcreate)
>   calling open_file with flags=0x2 flags2=0x0 mode=0744, access_mask
> = 0x20087, open_access_mask = 0x20087
> [2016/11/14 11:32:30.009702, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:3558(posix_get_nt_acl)
>   posix_get_nt_acl: called for file logs/foobar
> [2016/11/14 11:32:30.009753, 10, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/passdb/lookup_sid.c:1251
> (uid_to_sid)
>   uid 12477 -> sid S-1-22-1-12477
> [2016/11/14 11:32:30.009784, 10, pid=9336, effective(2310, 2049),
> real(2310, 0)] ../source3/passdb/lookup_sid.c:1300
> (gid_to_sid)
>   gid 9006 -> sid S-1-22-2-9006
> [2016/11/14 11:32:30.009811, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2724(canonicalise_acl)
>   canonicalise_acl: Access ace entries before arrange :
> [2016/11/14 11:32:30.009831, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
>   canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r--
> [2016/11/14 11:32:30.009858, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
>   canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006
> (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
> [2016/11/14 11:32:30.009981, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:2737(canonicalise_acl)
>   canon_ace index 2. Type = allow SID = S-1-22-1-12477 uid 12477
> (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
> -
> [2016/11/14 11:32:30.010484, 10, pid=9336, effective(2310, 2049),
> real(2310, 0), class=acls] ../source3/smbd/posix_a
> cls.c:848(print_canon_ace_list)
>   print_canon_ace_list: canonicalise_acl: ace entries after arrange
>   canon_ace index 0. Type = allow SID = S-1-22-1-12477 uid 12477
> (pmurphy) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rw
> -
>   canon_ace index 1. Type = allow SID = S-1-22-2-9006 gid 9006
> (cvweb) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rw-
>   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r--
> 
> 
> but I'll admit I'm not sure what I'm looking for.
> 
> On 11/10/16 1:13 PM, Josh Malone via samba wrote:
> >Hello,
> >
> >Really stumped on this issue. I have samba 4.4.7 running on a new
> >server. Users cannot write to files to which they have write permissions
> >via group.
> >
> >Example:
> >
> >Here's the local filesystem on the samba server. I'm logged in as jmalone
> >
> >
> >: jmalone at canis; cd /home/www.nrao.edu/content/logs/
> >: jmalone at canis; ls -l
> >total 4
> >-rw-rw-r-- 1 jmalone         nraoweb  0 Nov 10 10:02 baz
> >-rw-rw-r-- 1 pmurphy         cvweb    0 Nov 10 11:09 foobar
> >: jmalone at canis; touch foobar
> >
> >
> >No problems. Now, let me mount that on my Mac:
> >
> >
> >: jmalone at agrajag; cd /Volumes/www.nrao.edu/content/logs
> >: jmalone at agrajag; ls -l
> >total 2
> >-rwx------  1 jmalone  nraocv   0 Nov 10 10:02 baz
> >-rwx------  1 jmalone  nraocv   0 Nov 10 11:09 foobar
> >-rwx------  1 jmalone  nraocv  44 Nov 13  2006 index.html
> >: jmalone at agrajag.cv; touch foobar
> >touch: foobar: Permission denied
> >
> >I can write to 'baz' though.
> >
> 
> 
> -- 
> --------------------------------------------------------
>        Joshua Malone       Systems Administrator
>      (jmalone at nrao.edu)    NRAO Charlottesville
>         434-296-0263           www.nrao.edu
> 	434-249-5699 (mobile)
> --------------------------------------------------------
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list