[Samba] Standalone server and POSIX ACL issues (new one)

Yvan Masson yvan at masson-informatique.fr
Mon Aug 12 15:30:06 UTC 2019

Le 12/08/2019 à 14:32, Rowland penny via samba a écrit :
> On 12/08/2019 12:11, Yvan Masson via samba wrote:
>>> So to sum up, setting ACL for the guest user is not enough for Samba, 
>>> while it works for other users. It does not depend on which Unix user 
>>> is used as guest.
>>> I just found a very strange workaround: the right needs to be given 
>>> to the primary group and not the user. For example, if my guest user 
>>> is "nobody", then I would give rights to group "nogroup". I also 
>>> tested to use alice as my guest user, and giving rights to group 
>>> "alice" (not the user) works.
>>> Any idea? Should I report an issue?
>> For reference, I reported this issue at 
>> https://bugzilla.samba.org/show_bug.cgi?id=14083
>> Yvan
> Hi Yvan,
> Now I have had chance to properly understand what you are trying to do, 
> I am sorry but Louis is correct, this isn't a bug.

Many thanks for the teaching efforts, I hope some day I could buy you a 
drink! :-)
> The first thing to understand is that the guest user on any other 
> computer doesn't really equate to the guest user on the Samba computer >
> You are mounting the share as the guest user, but this has nothing to do 
> with the permissions on the share. My misunderstanding was that I 
> thought you were connecting to a share using guest access, for this to 
> work, you need 'map to guest = bad user' and 'guest ok = yes in the 
> share. If you are using 'guest ok = yes' on a share, then you shouldn't 
> use authentication on the same share. >
> If you do have 'guest ok = yes' on a share, then if an unknown user 
> tries to connect to the share, before they get to the share they will 
> get mapped to the 'guest user' (usually 'nobody' on Unix), so anything 
> they add to the share will typically belong to 'nobody:nogroup' because 
> that is who is allowed access to the share.
> So to recap, whilst you can mount a share as the guest user, it isn't 
> recommended, do not use guest access on a share that you also want 
> authenticated users to connect to.
I am sorry, I suppose that by trying to be clearer, I made my issue less 
understandable… I try to explain again just to be sure: I want some 
users (bob and alice for example) to have full access on the share (via 
authenticated mount), and others to have read-only access (via guest 
mount). As you understood, I don't want to use Windows ACLs.

I made some new tests after Louis's reply on the bug report (see link 
above), and here is my understanding of what I see: guest account is 
indeed mapped to the Unix account defined in "guest account" option of 
smb.conf, BUT its effective rights are equals to the ones of the Unix 
account AND (logical operator) the ones of "others" in Unix ACL.

Am I right? If yes, could this be added to smb.conf manpage for the 
"guest account" option? Currently it says "Whatever privileges this user 
has will be available to any client connecting to the guest service.", 
but it that this is only partially true.


More information about the samba mailing list