[Samba] Clients can't write to group-writable files - plea for help

Jeremy Allison jra at samba.org
Wed Nov 16 00:25:42 UTC 2016 

On Tue, Nov 15, 2016 at 11:42:45AM -0500, Josh Malone via samba wrote:
> On 11/14/16 6:32 PM, Jeremy Allison via samba wrote:
> >On Mon, Nov 14, 2016 at 11:38:52AM -0500, Josh Malone via samba wrote:
> >>All,
> >>
> >>Apologies for basically bumping my own thread, but I'm absolutely at
> >>my wits' end trying to figure out this access problem. I've
> >>replicated the issue with and without NFS being involved. On our old
> >>4.0.25 server, users can write to files that they have group-based
> >>write permissions. On 4.5.x, 4.4.x, and 4.3.x that permission is not
> >>being honored.
> >
> >
> >Look for an ACCESS_DENIED. Check the token of the smbd
> >issuing that error. We check the Windows ACL against
> >the token before allowing the write.
> 
> Thank you for that pointer. So, if I take this line for example:
> 
>   smbd_check_access_rights: file . requesting 0x40 returning 0x40
> (NT_STATUS_ACCESS_DENIED)
> [2016/11/14 12:49:21.540401, 10, pid=28398, effective(2310, 2049),
> real(2310, 0)] ../source3/smbd/open.c:179(smbd_check_access_rights)
> 
> I see that smbd #28398 is the offending process. I'm not sure what
> the "token" is that I'm looking for. Again - sorry for my lack of
> familiarity with the internals here. I've *never* had issues like
> these with Samba before.

The token is the list of uids/gids (or SIDs in Windows terms)
that this smbd is using to represent the user right now.

> However, I see this bit:
> 
> 
>   canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
> SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>   canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
> SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
>   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> ace_flags = 0x0 perms r-x

Looks like a perm set of rwxr-xr-x on the file to me, with
owner and group of root.

> My interpretation of this is that samba things that the file GID is
> 0 and that group write is not allowed. This is not at all what the
> file permissions are though. Am I mis-reading this or is Samba
> getting permissions some other way. This is a purely Unix filesystem
> - there should be no NTFS ACLs.

smbd synthesises NT ACLs from the POSIX perms in order to do
the access checks. Then it checks the open request using the
current process token against the NT ACL to decide whether to
allow access.

> Also, the line:
> 
> [2016/11/14 12:49:21.964411,  5, pid=28398, effective(2310, 2049),
> real(2310, 0)]
> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
> 
> How is the real different from the effective on a simple unix file?

These come from the current uid/gid of the process - constructed
here:

                        ", effective(%u, %u), real(%u, %u)",
                        (unsigned int)geteuid(), (unsigned int)getegid(),
                        (unsigned int)getuid(), (unsigned int)getgid());

Thay line tells you that pid 28398 is currently running with
an effective uid of2310, and an effective gid of 2049.

They are the values that will be used to check file access.

More information about the samba mailing list