[Samba] Using CIFS ACL with SMB2/SMB3 Mounts on Linux Clients

Kraus, Sebastian sebastian.kraus at tu-berlin.de
Sat Mar 2 16:14:27 UTC 2019 

Hi Steve,

>> Could you see if anything useful in the logs indicating why the ACL was not returned?  
>> Instructions are at:
>> https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging

Unfortunately not: With maximum debug verbosity 7 for the CIFS Kernel module stack, the dmesg only
logs an ENOPNOTSUPP error (rc=95, Operation not supported on transport endpoint) on the socket 
while invoking an getcifsacl on a file or folder residing on a mounted Samba share. No more indicative error 
messages are shown up in the respective trace. :-(

BUT, I just tested retrieving the CIFS ACL in the same setup either with backports Linux Kernel v4.19.16-1~bpo9+1
under Debian Stable (Stretch) and with Kernel v4.19.16-1 under Debian Testing (Buster) for SMB2/SMB3 protocol and
getcifsacl/setcifsacl works properly on files and folders. So, it seems that with the older CIFS module version of Linux 
Kernel v4.9.30-2+deb9u5 under Debian Stable the CIFS ACL are simply not implemented/supported with SMB2/SMB3 
protocol and an ENOTSUPP is raised consequently.

As I never dealt with CIFS ACL and NTFS/Windows ACL before, I would like to ask if you know about any good 
description/manual on the internet how to properly fiddle around with this type of rich ACL.


Thanks and best
Sebastian


Sebastian Kraus
Team IT am Institut für Chemie
Gebäude C, Straße des 17. Juni 115, Raum C7

Technische Universität Berlin
Fakultät II
Institut für Chemie
Sekretariat C3
Straße des 17. Juni 135
10623 Berlin


Tel.: +49 30 314 22263
Fax: +49 30 314 29309
Email: sebastian.kraus at tu-berlin.de


________________________________________
From: Steve French <smfrench at gmail.com>
Sent: Friday, March 1, 2019 07:17
To: Kraus, Sebastian
Cc: Jeremy Allison; samba at lists.samba.org; ronniesahlberg at gmail.com
Subject: Re: Using Access Control Lists with SMB2/SMB3 Mounts on Linux Clients

Could you see if anything useful in the logs indicating why the ACL
was not returned?  Instructions are at:

https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Enabling_Debugging

(it is easier for newer kernels due to dynamic tracing e.g. "trace-cmd
record -e cifs" but even with these older kernels it should be enough
information in the dmesg logs - if not a wireshark trace could help)

On Thu, Feb 28, 2019 at 10:54 PM Kraus, Sebastian
<sebastian.kraus at tu-berlin.de> wrote:
>
> Hi Jeremy, Hi Steve, Hi Ronnie,
> thanks for your replies and the profound discussion.
> I think, it's best to demonstrate my problem case along an real world example:
> The following log of a console sesssion shows how I am doing the mounts on behalf Linux Kernel CIFS-FS Module on the
> client side against a Samba 4.5 file server (both running on Debian Stretch 9.8) via SMB/CIFS resp. SMB2 protocol:
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=1.0
> Password for user@//sambaserver/share:
> mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=1.0,gid=100,user=testuser,domain=win,pass=
>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 50
> 1) Name: 130.149.125.119  Domain: FAK2 Uses: 1 OS: Windows 6.1
>         NOS: Samba 4.5.16-Debian        Capability: 0x8080f3fd
>         SMB session status: 1   TCP status: 1
>         Local Users To Server: 1 SecMode: 0x3 Req On Wire: 0
>         Shares:
>         1) \\sambaserver\share Mounts: 1 Type: NTFS DevInfo: 0x20 Attributes: 0x1006f
>         PathComponentMax: 255 Status: 1 type: DISK
>
>         MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> REVISION:0x1
> CONTROL:0x9004
> OWNER:S-1-5-21-3646497173-276132624-1362955480-290786
> GROUP:S-1-22-2-100
> ACL:S-1-5-21-3646497173-276132624-1362955480-290786:ALLOWED/0x0/RW
> ACL:S-1-22-2-100:ALLOWED/0x0/RW
> ACL:S-1-1-0:ALLOWED/0x0/
>
> clienthost:~# umount /media/testmount
>
> clienthost:~# mount.cifs --verbose //sambaserver/share /media/testmount -o domain=win,gid=users,username=testuser,vers=2.0
> Password for testuser@//sambaserver/share:
> mount.cifs kernel mount options: ip=130.149.XXX.YYY,unc=\\sambaserver\share,vers=2.0,gid=100,user=testuser,domain=win,pass=
>
> clienthost:~# cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> CIFS Version 2.09
> Features: DFS,FSCACHE,DEBUG,WEAK_PW_HASH,CIFS_POSIX,UPCALL(SPNEGO),XATTR,ACL
> Active VFS Requests: 0
> Servers:
> Number of credits: 13
> 1) entry for 130.149.125.119 not fully displayed
>         TCP status: 1
>         Local Users To Server: 1 SecMode: 0x1 Req On Wire: 0
>         Shares:
>         1) \\sambaserver\share Mounts: 1 DevInfo: 0x20 Attributes: 0x1006f
>         PathComponentMax: 255 Status: 1 type: DISK
>
>         MIDs:
>
> clienthost:~# getcifsacl /media/testmount/einstieg.txt
> getxattr error: 95
> REVISION:0x0
> CONTROL:0x0
>
> I wonder why I am able to access the Security Identifier of a file on an SMB1 mounted share, but getcifsacl is failing to get the SID
> of the same file on the same share with SMB2 mounts? In both cases, availability of XATTR, ACL and CIFS_POSIX FS capabilities is
> shown. Am I missing something essential or is there a lack of implementation?
>
>
> Best and regards
> Sebastian
>
>
> Sebastian Kraus
> Team IT am Institut für Chemie
> Gebäude C, Straße des 17. Juni 115, Raum C7
>
> Technische Universität Berlin
> Fakultät II
> Institut für Chemie
> Sekretariat C3
> Straße des 17. Juni 135
> 10623 Berlin
>
>
> Tel.: +49 30 314 22263
> Fax: +49 30 314 29309
> Email: sebastian.kraus at tu-berlin.de



--
Thanks,

Steve

More information about the samba mailing list