[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

Kraus, Sebastian sebastian.kraus at tu-berlin.de
Fri Mar 1 04:54:32 UTC 2019


Hi Jeremy, Hi Steve, Hi Ronnie,
thanks for your replies and the profound discussion.
I think, it's best to demonstrate my problem case along an real world example:
The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the
client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol:

clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=1.0
Password for user@//sambaserver/share:
mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass=
         
clienthost:~# cat /proc/fs/cifs/DebugData 
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 2.09
Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
Active VFS Requests: 0
Servers:
Number of credits: 50
1) Name: 130.149.125.119  Domain: FAK2 Uses: 1 OS: Windows 6.1
	NOS: Samba 4.5.16-Debian	Capability: 0x8080f3fd
	SMB session status: 1	TCP status: 1
	Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0
	Shares:
	1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f
	PathComponentMax: 255 Status: 1 type: DISK 

	MIDs:
       
clienthost:~# getcifsacl /media/testmount/einstieg.txt 
REVISION:0x1
CONTROL:0x9004
OWNER:S-1-5-21-3646497173-276132624-1362955480-290786
GROUP:S-1-22-2-100
ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW
ACL:S-1-22-2-100:ALLOWED/0x0/RW
ACL:S-1-1-0:ALLOWED/0x0/

clienthost:~# umount /media/testmount 

clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=2.0
Password for testuser@//sambaserver/share:
mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass=

clienthost:~# cat /proc/fs/cifs/DebugData
Display Internal CIFS Data Structures for Debugging
---------------------------------------------------
CIFS Version 2.09
Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
Active VFS Requests: 0
Servers:
Number of credits: 13
1) entry for 130.149.125.119 not fully displayed
	TCP status: 1
	Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0
	Shares:
	1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f
	PathComponentMax: 255 Status: 1 type: DISK 

	MIDs:

clienthost:~# getcifsacl /media/testmount/einstieg.txt 
getxattr error: 95
REVISION:0x0
CONTROL:0x0

I wonder why I am able to access the Security Identifier of a file on an SMB1 mounted share, but getcifsacl is failing to get the SID
of the same file on the same share with SMB2 mounts? In both cases, availability of XATTR, ACL and CIFS_POSIX FS capabilities is 
shown. Am I missing something essential or is there a lack of implementation?


Best and regards
Sebastian


Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin


Tel.: +49 30 314 22263
Fax: +49 30 314 29309
Email: sebastian.kraus at tu-berlin.de



More information about the samba mailing list