[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
Kraus, Sebastian
sebastian.kraus at tu-berlin.de
Fri Mar 1 04:54:32 UTC 2019
Hi Jeremy, Hi Steve, Hi Ronnie,
thanks for your replies and the profound discussion.
I think, it's best to demonstrate my problem case along an real world example:
The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the
client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol:
clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=1.0
Password for user@//sambaserver/share:
mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass=
clienthost:~# cat /proc/fs/cifs/DebugData
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 2.09
Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
Active VFS Requests: 0
Servers:
Number of credits: 50
1) Name: 130.149.125.119 Domain: FAK2 Uses: 1 OS: Windows 6.1
NOS: Samba 4.5.16-Debian Capability: 0x8080f3fd
SMB session status: 1 TCP status: 1
Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0
Shares:
1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f
PathComponentMax: 255 Status: 1 type: DISK
MIDs:
clienthost:~# getcifsacl /media/testmount/einstieg.txt
REVISION:0x1
CONTROL:0x9004
OWNER:S-1-5-21-3646497173-276132624-1362955480-290786
GROUP:S-1-22-2-100
ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW
ACL:S-1-22-2-100:ALLOWED/0x0/RW
ACL:S-1-1-0:ALLOWED/0x0/
clienthost:~# umount /media/testmount
clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=2.0
Password for testuser@//sambaserver/share:
mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass=
clienthost:~# cat /proc/fs/cifs/DebugData
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 2.09
Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
Active VFS Requests: 0
Servers:
Number of credits: 13
1) entry for 130.149.125.119 not fully displayed
TCP status: 1
Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0
Shares:
1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f
PathComponentMax: 255 Status: 1 type: DISK
MIDs:
clienthost:~# getcifsacl /media/testmount/einstieg.txt
getxattr error: 95
REVISION:0x0
CONTROL:0x0
I wonder why I am able to access the Security Identifier of a file on an SMB1 mounted share, but getcifsacl is failing to get the SID
of the same file on the same share with SMB2 mounts? In both cases, availability of XATTR, ACL and CIFS_POSIX FS capabilities is
shown. Am I missing something essential or is there a lack of implementation?
Best and regards
Sebastian
Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7
Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin
Tel.: +49 30 314 22263
Fax: +49 30 314 29309
Email: sebastian.kraus at tu-berlin.de
More information about the samba
mailing list