[Samba] Samba 4.6.4 and Excel 2016 access denied if no Group mode permission

Walker, Jason M (JSC-CD42)[Leidos Innovations Corporation] jason.m.walker at nasa.gov
Wed Feb 14 15:43:38 UTC 2018

>What are you actually using for authentication ?

We are using Quest Authentication Services (formerly Vintela Authentication Services), which is a Kerberos/LDAP/Active Directory client for UNIX & Linux.  Authentication and Identity Mapping appears to work correctly, I can log on and see my uid/gid/correct groups list with SSH and group-based access for files and directories appears to work correctly through Samba.

The only thing that doesn't seem to work right is that if _only_ my user account/file owner has full control to the directory and the file, and my primary groups has no access, Excel 2016 cannot save edits to files through Samba.  Looking at level-5 Samba logs

I appear to get an access denied on setting attributes to the new temporary file Excel is creating when I open the original

[2018/02/12 10:27:10.682913,  2] ../source3/smbd/trans2.c:6276(smb_set_file_dosmode)
  smb_set_file_dosmode: file_set_dosmode of ~$test.xlsx failed (Permission denied)
[2018/02/12 10:27:10.682965,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_setinfo.c:132

and Samba seems to be mapping my account correctly

[2018/02/12 10:27:10.715181,  5] ../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (11):
    SID[  0]: S-1-22-1-129046054
    SID[  1]: S-1-22-2-513
    SID[  2]: S-1-22-2-487583
    SID[  3]: S-1-22-2-487495
    SID[  4]: S-1-22-2-383830
    SID[  5]: S-1-22-2-385132
    SID[  6]: S-1-22-2-345596
    SID[  7]: S-1-22-2-383825
    SID[  8]: S-1-1-0
    SID[  9]: S-1-5-2
    SID[ 10]: S-1-5-11
   Privileges (0x               0):
   Rights (0x               0):
[2018/02/12 10:27:10.715449,  5] ../source3/auth/token_util.c:640(debug_unix_user_token)
  UNIX token of user 129046054
  Primary group is 513 and contains 7 supplementary groups
  Group[  0]: 513
  Group[  1]: 487583
  Group[  2]: 487495
  Group[  3]: 383830
  Group[  4]: 385132
  Group[  5]: 345596
  Group[  6]: 383825

And just after that I appear to be granted an oplock on the original file

[2018/02/12 10:27:10.858168,  5] ../source3/smbd/dosmode.c:287(get_ea_dos_attribute)
  get_ea_dos_attribute: Cannot get attribute from EA on file test.xlsx: Error = Unformatted or incompatible media
[2018/02/12 10:27:10.858225,  4] ../source3/smbd/open.c:3262(open_file_ntcreate)
  calling open_file with flags=0x0 flags2=0x0 mode=0744, access_mask = 0x80, open_access_mask = 0x80
[2018/02/12 10:27:10.858353,  2] ../source3/smbd/open.c:1351(open_file)
  jwalker5 opened file test.xlsx read=No write=No (numopen=6)
[2018/02/12 10:27:10.858406,  5] ../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
  check lock order 1 for /smb_ms1/samba/locks/locking.tdb
[2018/02/12 10:27:10.858492,  5] ../source3/smbd/oplock.c:86(set_file_oplock)
  set_file_oplock: granted oplock on file test.xlsx, a0007:5040:0/1990308393, tv_sec = 5a81c05e, tv_usec = d16cb
[2018/02/12 10:27:10.858583,  5] ../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
  release lock order 1 for /smb_ms1/samba/locks/locking.tdb

Still a little later I see errors retrieving ea_dos_attributes during what looks like a directory listing (I suspect this is because the underlying AIX filesystem doesn't support the EA attributes, and I'm not sure that I care)

[2018/02/12 10:27:10.929561,  5] ../source3/smbd/dosmode.c:287(get_ea_dos_attribute)
  get_ea_dos_attribute: Cannot get attribute from EA on file test.xlsx: Error = Unformatted or incompatible media
[2018/02/12 10:27:10.929635,  5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print)
  dos_mode_debug_print: dos_mode_from_sbuf returning (0x20): "a"
[2018/02/12 10:27:10.929687,  5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print)
  dos_mode_debug_print: dos_mode returning (0x20): "a"
[2018/02/12 10:27:10.929757,  3] ../source3/smbd/dir.c:1227(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found test.xlsx fname=test.xlsx (test.xlsx)
[2018/02/12 10:27:10.929837,  5] ../source3/smbd/dosmode.c:287(get_ea_dos_attribute)
  get_ea_dos_attribute: Cannot get attribute from EA on file ~$test.xlsx: Error = Unformatted or incompatible media

And then, reading the directory again, I can see these access masks but not sure how to understand them

[2018/02/12 10:27:11.223176,  5] ../source3/smbd/open.c:3946(open_directory)
  open_directory: opening directory ., access_mask = 0x80, share_access = 0x7 create_options = 0x200000, create_disposition = 0x1, file_attributes = 0x10

More information about the samba mailing list