[Samba] icacls 'DENY' and Unix user execute bit
Rowland Penny
rpenny at samba.org
Sat Nov 20 09:25:48 UTC 2021
On Fri, 2021-11-19 at 19:00 -0500, Ken Bass via samba wrote:
>
> >
> >
>
> Hi Rowland,
>
> On the SERVER side:
>
> -rwxrwx---+ 1 user testshare users 16 Nov 19 16:11 test.txt
Yes, you are using ACL's, note the '+' at the end of the Unix
permissions.
What does 'getfacl test.txt' produce ?
>
> On the CLIENT side, where this share is mounted via cifs in
> /etc/fstab
>
> -rwxrw---- 1 user testshare users 16 Nov 19 16:11 test.txt
However, the cifs mounted share doesn't seem to be using using ACL's
>
> And reproducing the issue - on the CLIENT side
>
> /usr/bin/getcifsacl test.txt
> REVISION:0x1
> CONTROL:0x8004
> OWNER:MYDOM\user
> GROUP:MYDOM\Testshare Users
> ACL:MYDOM\user:ALLOWED/0x0/FULL
> ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL
> ACL:\Everyone:ALLOWED/0x0/
>
> And after running
>
> chmod u-x test.txt
I wouldn't recommend running chmod against anything that has an ACL set
on it, it will probably remove or change the ACL.
>
> -rw-rw---- 1 user testshare users 16 Nov 19 16:12 test.txt
>
> /usr/bin/getcifsacl test.txt
> REVISION:0x1
> CONTROL:0x8004
> OWNER:MYDOM\user
> GROUP:MYDOM\Testshare Users
> ACL:MYDOM\user:DENIED/0x0/0xd0130
> ACL:MYDOM\user:ALLOWED/0x0/0x1f01df
> ACL:MYDOM\Testshare Users:ALLOWED/0x0/FULL
> ACL:\Everyone:ALLOWED/0x0/0x40
>
> Notice after running the chmod to remove the user exec permission,
> the
> DENIED ACL is added.
>
> That DENIED ACL does not just remove 'execution', but as I
> originally
> posted:
>
> test.txt MYDOM\user:(DENY)(D,WDAC,WO,WEA,X,WA)
> MYDOM\user:(R,W,D,WDAC,WO,DC)
> MYDOM\Testshare Users:(F)
> Everyone:(DC)
>
> it appears to also remove WEA - Write extended attributes, WA -
> Write
> attributes, WO - Write owner.
>
> My guess is that is why trying to write to test.txt from Windows
> after
> the chmod results in Access Denied. That DENY clause prevents
> Windows
> from doing that.
Your problem appears to be that you are trying to fix your problem an
hammer.
>
> # Global parameters
> [global]
> disable spoolss = Yes
> guest account = guestuser
> interfaces = lo 192.168.2.0/24
> kerberos method = secrets and keytab
> load printers = No
> log file = /var/log/samba/%m.log
> map to guest = Bad User
> printcap name = /dev/null
> realm = MYDOM.LOCAL.NET
> security = ADS
> server string = myserver
> template homedir = /home/%U
> template shell = /bin/bash
> username map = /etc/samba/user.map
What exactly is in the 'user.map' ?
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = MYDOM
> idmap config mydom : unix_primary_group = yes
> idmap config mydom : range = 1000-29999
I suppose you realise that using that range means you cannot have any
local Unix users.
> idmap config mydom : schema_mode = rfc2307
> idmap config mydom : backend = ad
> idmap config * : range = 30000-39999
> idmap config * : backend = tdb
> cups options = raw
> hosts allow = 127. 192.168.2.
> map acl inherit = Yes
> printing = bsd
> strict allocate = Yes
> vfs objects = acl_xattr
>
> [TestShare]
> comment = TestShare
> create mask = 0770
> directory mask = 0770
> force create mode = 0770
> force directory mode = 0770
> force group = "TestShare Users"
> path = /mnt/store/TestShare
> read only = No
I suggest you change the share to this:
[TestShare]
comment = TestShare
path = /mnt/store/TestShare
read only = No
Then set the permissions from windows and only windows.
Try reading:
man mount.cifs
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list