[Samba] Clients can't write to group-writable files - plea for help

Josh Malone jmalone at nrao.edu
Tue Nov 15 16:42:45 UTC 2016 

On 11/14/16 6:32 PM, Jeremy Allison via samba wrote:
> On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
>> All,
>>
>> Apologies for basically bumping my own thread, but I'm absolutely at
>> my wits' end trying to figure out this access problem. I've
>> replicated the issue with and without NFS being involved. On our old
>> 4.0.25 server, users can write to files that they have group-based
>> write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
>> being honored.
>
>
> Look for an ACCESS_DENIED. Check the token of the smbd
> issuing that error. We check the Windows ACL against
> the token before allowing the write.

Thank you for that pointer. So, if I take this line for example:

   smbd_check_access_rights: file . requesting 0x40 returning 0x40 
(NT_STATUS_ACCESS_DENIED)
[2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049), 
real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights)

I see that smbd #28398 is the offending process. I'm not sure what the 
"token" is that I'm looking for. Again - sorry for my lack of 
familiarity with the internals here. I've *never* had issues like these 
with Samba before.

However, I see this bit:


   canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) 
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
   canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root) 
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER 
ace_flags = 0x0 perms r-x


My interpretation of this is that samba things that the file GID is 0 
and that group write is not allowed. This is not at all what the file 
permissions are though. Am I mis-reading this or is Samba getting 
permissions some other way. This is a purely Unix filesystem - there 
should be no NTFS ACLs.

Also, the line:

[2016/11/14 12:49:21.964411,  5, pid=28398, effective(2310, 2049), 
real(2310, 0)] ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)

How is the real different from the effective on a simple unix file?


Thanks again,

-Josh

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------

More information about the samba mailing list