[Samba] Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients
Steve French
smfrench at gmail.com
Fri Mar 1 06:17:51 UTC 2019
Could you see if anything useful in the logs indicating why the ACL
was not returned? Instructions are at:
https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging
(it is easier for newer kernels due to dynamic tracing e.g. "trace-cmd
record -e cifs" but even with these older kernels it should be enough
information in the dmesg logs - if not a wireshark trace could help)
On Thu, Feb 28, 2019 at 10:54 PM Kraus, Sebastian
<sebastian.kraus at tu-berlin.de> wrote:
>
> Hi Jeremy, Hi Steve, Hi Ronnie,
> thanks for your replies and the profound discussion.
> I think, it's best to demonstrate my problem case along an real world example:
> The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the
> client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol:
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=1.0
> Password for user@//sambaserver/share:
> mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass=
>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 50
> 1) Name: 130.149.125.119 Domain: FAK2 Uses: 1 OS: Windows 6.1
> NOS: Samba 4.5.16-Debian Capability: 0x8080f3fd
> SMB session status: 1 TCP status: 1
> Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0
> Shares:
> 1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f
> PathComponentMax: 255 Status: 1 type: DISK
>
> MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> REVISION:0x1
> CONTROL:0x9004
> OWNER:S-1-5-21-3646497173-276132624-1362955480-290786
> GROUP:S-1-22-2-100
> ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW
> ACL:S-1-22-2-100:ALLOWED/0x0/RW
> ACL:S-1-1-0:ALLOWED/0x0/
>
> clienthost:~# umount /media/testmount
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=2.0
> Password for testuser@//sambaserver/share:
> mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass=
>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 13
> 1) entry for 130.149.125.119 not fully displayed
> TCP status: 1
> Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0
> Shares:
> 1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f
> PathComponentMax: 255 Status: 1 type: DISK
>
> MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> getxattr error: 95
> REVISION:0x0
> CONTROL:0x0
>
> I wonder why I am able to access the Security Identifier of a file on an SMB1 mounted share, but getcifsacl is failing to get the SID
> of the same file on the same share with SMB2 mounts? In both cases, availability of XATTR, ACL and CIFS_POSIX FS capabilities is
> shown. Am I missing something essential or is there a lack of implementation?
>
>
> Best and regards
> Sebastian
>
>
> Sebastian Kraus
> Team IT am Institut für Chemie
> Gebäude C, Straße des 17. Juni 115, Raum C7
>
> Technische Universität Berlin
> Fakultät II
> Institut für Chemie
> Sekretariat C3
> Straße des 17. Juni 135
> 10623 Berlin
>
>
> Tel.: +49 30 314 22263
> Fax: +49 30 314 29309
> Email: sebastian.kraus at tu-berlin.de
--
Thanks,
Steve
More information about the samba
mailing list