[Samba] Standalone server and POSIX ACL issue

Yvan Masson yvan at masson-informatique.fr
Wed Jul 10 09:37:10 UTC 2019 

Le 10/07/2019 à 08:46, Rowland penny via samba a écrit :
> On 09/07/2019 22:49, Yvan Masson wrote:
>> Le 09/07/2019 à 21:16, Rowland penny via samba a écrit :
>>> On 09/07/2019 20:06, Yvan Masson via samba wrote:
>>>> Hi,
>>>>
>>>> First, thanks for all people that continuously giving great advice 
>>>> on this list!
>>>>
>>>> I am setting up a standalone server (Debian 10, Samba 4.9.5+dfsg-5 
>>>> from Debian). The following directory is shared and contains two 
>>>> directories:
>>>> /home/eleve/partage/
>>>> ├── Documents
>>>> └── Travail
>>>>
>>>> I want user "eleve" to be able to modify everything, and guest users 
>>>> to have read access on "Documents/" and write access on "Travail/". 
>>>> Everything works as expected when accessing files locally, but not 
>>>> when mounting the share from a Linux client:
>>>> - when logged in as guest, I can read everything but have no write 
>>>> access in "Travail/"
>>>> - when logged in as "eleve", I can not write inside "Documents/"
>>> You would be better off setting up two shares
>>>>
>>>> I suppose I am missing something simple, but can not find what (I 
>>>> have read 
>>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs).
>>> I know that page refers to a standalone server, but it is mostly 
>>> aimed at AD domain members, though the basics should work on a 
>>> standalone server.
>>>
>>> Rowland
>>>
>> Thanks for the advice. I have read 
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
>> which gave me the solution: I had forgot to add "eleve" user to the 
>> smbpasswd database. It would need more testing, but it seems I have a 
>> working setup with two shares and no POSIX ACL.
>>
>> I suppose I already know the answer, but is there a way to login with 
>> Samba without having a smbpasswd file?
>>
>> Regards,
>> Yvan
> 
> Yes, it is known as setting up an AD domain and then accounts are stored 
> in AD ;-)
> 
> Otherwise if you really mean 'can I connect to a Samba share on a Samba 
> standalone server without an account', then yes, you can. you will need 
> 'map to guest = bad user' in [global] and 'guest ok = yes' in the shares 
> (note, you cannot use 'valid users' etc in the shares), with these 
> settings and no users, anybody can connect to the shares and they will 
> be mapped to the guest user (usually 'nobody'). This is very insecure.
> 
> Rowland

OK thanks. However I still want to clarify what is wrong with my 
original setup, where "Partage" directory is shared on a standalone 
Samba 4.9.5 server:
/home/yvan/Partage/
├── Consultation/
└── Echange/

Connecting with local user "yvan" (added to smbpasswd file this time), 
works properly: I have write access in "Consultation/" and "Echange/".

Connecting as a guest user (mapped to user "nobody") works partially:
I have read access in "Consultation/" and "Echange/", but I would like 
to have write access in "Echange/". For example, this does not work (the 
share is mounted as guest via gvfs):
$ LANG=C touch 
/run/user/1000/gvfs/smb-share\:server\=e7440.local\,share\=partage/Echange/test
touch: cannot touch 
'/run/user/1000/gvfs/smb-share:server=e7440.local,share=partage/Echange/test': 
Permission denied

However, everything works properly when accessing files locally. This works:
$ sudo -u nobody touch /home/yvan/Partage/Echange/test

So I guess I have an issue with guest access in my Samba configuration.

$cat /etc/samba/smb.conf:
[global]
workgroup = AYN
log file = /var/log/samba/log.%m
logging = file syslog at 1
server role = standalone server
map to guest = Bad User
guest account = nobody
[Partage]
path = /home/yvan/Partage
guest ok = yes
writable = yes
inherit acls = yes

$ getfacl Partage/*
# file: Partage/Consultation
# owner: yvan
# group: yvan
user::rwx
user:yvan:rwx
user:nobody:r-x
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:yvan:rwx
default:user:nobody:r-x
default:group::r-x
default:mask::rwx
default:other::r-x

# file: Partage/Echange
# owner: yvan
# group: yvan
user::rwx
user:yvan:rwx
user:nobody:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:yvan:rwx
default:user:nobody:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Any help would be appreciated :-)

Yvan

More information about the samba mailing list