[Samba] Clients can't write to group-writable files - plea for help

Josh Malone jmalone at nrao.edu
Wed Nov 16 13:44:35 UTC 2016


On 11/15/16 7:25 PM, Jeremy Allison wrote:
>
> The token is the list of uids/gids (or SIDs in Windows terms)
> that this smbd is using to represent the user right now.

Okay - that makes sense. Thank you.

>>
>>   canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root)
>> SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
>>   canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 (root)
>> SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
>>   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
>> ace_flags = 0x0 perms r-x
>
> Looks like a perm set of rwxr-xr-x on the file to me, with
> owner and group of root.

But the file is not root:root - it's owned by uid 12477 and group 9006. 
Why is Samba getting the wrong owner/group for this file?

>
> smbd synthesises NT ACLs from the POSIX perms in order to do
> the access checks. Then it checks the open request using the
> current process token against the NT ACL to decide whether to
> allow access.
>
>> Also, the line:
>>
>> [2016/11/14 12:49:21.964411,  5, pid=28398, effective(2310, 2049),
>> real(2310, 0)]
>> ../libcli/smb/smb2_signing.c:92(smb2_signing_sign_pdu)
>>
>> How is the real different from the effective on a simple unix file?
>
> These come from the current uid/gid of the process - constructed
> here:
>
>                         ", effective(%u, %u), real(%u, %u)",
>                         (unsigned int)geteuid(), (unsigned int)getegid(),
>                         (unsigned int)getuid(), (unsigned int)getgid());
>
> Thay line tells you that pid 28398 is currently running with
> an effective uid of2310, and an effective gid of 2049.
>
> They are the values that will be used to check file access.

Okay - so it's getting the right values for my user, but coming up with 
the wrong permissions on the file I'm trying to access. Any idea why?

I've been trying to debug this for days now - every build I make on Red 
Hat Enterprise 6 does this. However, running Samba under Ubuntu server 
behaves correctly in the same AD/NFS environment.

I've found another RHEL6 server here that's not showing the problem, so 
I'm going to try to diff the 2 boxes and see what's up.

-Josh

-- 
--------------------------------------------------------
        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
	434-249-5699 (mobile)
--------------------------------------------------------



More information about the samba mailing list