[Samba] icacls 'DENY' and Unix user execute bit
Ken Bass
kbass at kenbass.com
Sat Nov 20 00:00:35 UTC 2021
On 11/19/21 5:18 PM, Rowland Penny via samba wrote:
> On Fri, 2021-11-19 at 16:44 -0500, Ken Bass via samba wrote:
>> I am in some unfamiliar territory here and trying to troubleshoot why
>> I
>> am getting access denied. Maybe someone can provide some pointers or
>> suggestions.
>>
>> I am sharing via a samba share.
>>
>> If the file is created on Windows, I see the following:
>>
>> icacls test.txt
>>
>> test.txt Everyone:
>> MYDOM\user:(I)(F)
>> MYDOM\Group:(I)(F)
>>
>> Under Linux the file permissions show as:
>> '-rwxrw----'
> Is that exactly what 'ls 'la' produces ? Could there be a '+' on the
> end ?
> As show, the user would have full permissions and the group would have
> read and write permissions, all others would have no permissions.
>
> Depending on how you have set up Samba, you may be using extended ACL's
> and attrs, but without further info, this is hard to say.
>
> Could you post the output from 'testparm -s' from the Samba server and
> the full output of 'ls -la test.txt'
>
> Rowland
>
>
>
Hi Rowland,
On the SERVER side:
-rwxrwx---+ 1 user testshare users 16 Nov 19 16:11 test.txt
On the CLIENT side, where this share is mounted via cifs in /etc/fstab
-rwxrw---- 1 user testshare users 16 Nov 19 16:11 test.txt
And reproducing the issue - on the CLIENT side
/usr/bin/getcifsacl test.txt
REVISION:0x1
CONTROL:0x8004
OWNER:MYDOM\user
GROUP:MYDOM\Testshare Users
ACL:MYDOM\user:ALLOWED/0x0/FULL
ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL
ACL:\Everyone:ALLOWED/0x0/
And after running
chmod u-x test.txt
-rw-rw---- 1 user testshare users 16 Nov 19 16:12 test.txt
/usr/bin/getcifsacl test.txt
REVISION:0x1
CONTROL:0x8004
OWNER:MYDOM\user
GROUP:MYDOM\Testshare Users
ACL:MYDOM\user:DENIED/0x0/0xd0130
ACL:MYDOM\user:ALLOWED/0x0/0x1f01df
ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL
ACL:\Everyone:ALLOWED/0x0/0x40
Notice after running the chmod to remove the user exec permission, the
DENIED ACL is added.
That DENIED ACL does not just remove 'execution', but as I originally
posted:
test.txt MYDOM\user:(DENY)(D,WDAC,WO,WEA,X,WA)
MYDOM\user:(R,W,D,WDAC,WO,DC)
MYDOM\Testshare Users:(F)
Everyone:(DC)
it appears to also remove WEA - Write extended attributes, WA - Write
attributes, WO - Write owner.
My guess is that is why trying to write to test.txt from Windows after
the chmod results in Access Denied. That DENY clause prevents Windows
from doing that.
# Global parameters
[global]
disable spoolss = Yes
guest account = guestuser
interfaces = lo 192.168.2.0/24
kerberos method = secrets and keytab
load printers = No
log file = /var/log/samba/%m.log
map to guest = Bad User
printcap name = /dev/null
realm = MYDOM.LOCAL.NET
security = ADS
server string = myserver
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/user.map
winbind enum groups = Yes
winbind enum users = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = MYDOM
idmap config mydom : unix_primary_group = yes
idmap config mydom : range = 1000-29999
idmap config mydom : schema_mode = rfc2307
idmap config mydom : backend = ad
idmap config * : range = 30000-39999
idmap config * : backend = tdb
cups options = raw
hosts allow = 127. 192.168.2.
map acl inherit = Yes
printing = bsd
strict allocate = Yes
vfs objects = acl_xattr
[TestShare]
comment = TestShare
create mask = 0770
directory mask = 0770
force create mode = 0770
force directory mode = 0770
force group = "TestShare Users"
path = /mnt/store/TestShare
read only = No
More information about the samba
mailing list