[Samba] Standalone server and POSIX ACL issues (new one)

Rowland penny rpenny at samba.org
Mon Aug 12 12:32:49 UTC 2019


On 12/08/2019 12:11, Yvan Masson via samba wrote:
>> So to sum up, setting ACL for the guest user is not enough for Samba, 
>> while it works for other users. It does not depend on which Unix user 
>> is used as guest.
>>
>> I just found a very strange workaround: the right needs to be given 
>> to the primary group and not the user. For example, if my guest user 
>> is "nobody", then I would give rights to group "nogroup". I also 
>> tested to use alice as my guest user, and giving rights to group 
>> "alice" (not the user) works.
>>
>> Any idea? Should I report an issue?
>
> For reference, I reported this issue at 
> https://bugzilla.samba.org/show_bug.cgi?id=14083
>
> Yvan
>
Hi Yvan,

Now I have had chance to properly understand what you are trying to do, 
I am sorry but Louis is correct, this isn't a bug.

The first thing to understand is that the guest user on any other 
computer doesn't really equate to the guest user on the Samba computer.

You are mounting the share as the guest user, but this has nothing to do 
with the permissions on the share. My misunderstanding was that I 
thought you were connecting to a share using guest access, for this to 
work, you need 'map to guest = bad user' and 'guest ok = yes in the 
share. If you are using 'guest ok = yes' on a share, then you shouldn't 
use authentication on the same share.

If you do have 'guest ok = yes' on a share, then if an unknown user 
tries to connect to the share, before they get to the share they will 
get mapped to the 'guest user' (usually 'nobody' on Unix), so anything 
they add to the share will typically belong to 'nobody:nogroup' because 
that is who is allowed access to the share.

So to recap, whilst you can mount a share as the guest user, it isn't 
recommended, do not use guest access on a share that you also want 
authenticated users to connect to.

Bearing this in mind, I am going to close your bug report.

Rowland





More information about the samba mailing list