[Samba] permission denied with windows acls
Rowland Penny
rpenny at samba.org
Tue Jan 30 10:12:33 UTC 2024
On Mon, 29 Jan 2024 16:42:20 -0800
Peter Carlson via samba <samba at lists.samba.org> wrote:
>
> On 1/29/24 13:08, Rowland Penny via samba wrote:
> > On Mon, 29 Jan 2024 12:51:37 -0800
> > Peter Carlson via samba<samba at lists.samba.org> wrote:
> >
> >
> >> Just did a quick test, the big T comes after setting permissions in
> >> windows
> >>
> >> root at fs1:/var/log# cd /data
> >> root at fs1:/data# mkdir -m 1777 test2
> > No it doesn't, you are setting it.
> >
> > I set the permissions on the share directory like this:
> >
> > mkdir -p /srv/mtest1
> > chown root:"Domain Admins" /srv/mtest1
> > chmod 0770 /srv/mtest1
> >
> > Which is what it shows here:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> >> root at fs1:/data# chown root:"CARLSON\\domain admins" test2
> >> root at fs1:/data# vi /etc/samba/smb.conf
> >> root at fs1:/data# systemctl restart smbd.service
> >> root at fs1:/data# ls -ald /data/*
> >> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13
> >> /data/test drwxrwxrwt 2 root CARLSON\domain admins 4096 Jan 29
> >> 20:43 /data/test2
> > No, I take it back (slightly), you set the permissions with 't'
> > (which shows the sticky bit is set) and then when you change the
> > permissions from Windows, acl_xattr removes the 'rwx' from
> > 'others', this changes the 't' to a 'T'
> >
> > At least that is what I think is happening.
> >
> > The cure, stop setting the permissions to '1777' in the first place,
> > use '0770'
> >
> > Rowland
> >
> ok so I reset it and used mode 0770 and it still doesn't mount
> without domain users (or computers) as a permission
>
> root at fs1:/data# rm -fr test2
> root at fs1:/data# mkdir -m 0777 test2
> root at fs1:/data# chown root:"CARLSON\\domain admins" test2
> root at fs1:/data# ls -ald /data/*
> drwxrwx--T+ 4 root CARLSON\domain admins 4096 Jan 26 16:13 /data/test
> drwxrwx---+ 2 root CARLSON\domain admins 4096 Jan 30 00:30 /data/test2
>
> --------------- Set Windows ACLs ---------------------
>
I don't understand this.
I can just start the VM (debian 12, Samba 4.19.4)
log in as 'rowland'
go to 'Places' -> 'Computer'
Double click 'File System'
Double click '/mnt'
All the mounted shares are there and I can interact with them.
If I run 'mount', I find these lines:
adminuser at testdm12:~$ mount
.................
//devstation.samdom.example.com/data on /mnt/test type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
//devstation.samdom.example.com/Mtest1 on /mnt/testmount1 type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
//devstation.samdom.example.com/Mtest on /mnt/testmount type cifs (rw,relatime,vers=3.1.1,sec=krb5,cruid=0,cache=strict,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.141,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=1)
Now remember that these are mounts, so the permissions on the client are
going to look wrong:
adminuser at testdm12:~$ sudo ls -la /mnt/testmount1
total 12
drwxr-xr-x 2 root root 0 Jan 30 09:44 .
drwxr-xr-x 6 root root 4096 Jan 29 19:11 ..
-rwxr-xr-x 1 root root 11 Jan 30 09:44 doctest1
I have to go to the server to find the correct permissions:
rowland at devstation:~$ ls -la /srv/mtest1
total 20
drwxrwx---+ 2 root domain admins 4096 Jan 30 09:44 .
drwxr-xr-x 23 root root 4096 Jan 29 18:54 ..
-rwxrwxr-x+ 1 rowland domain users 11 Jan 30 09:44 doctest1
rowland at devstation:~$ getfacl /srv/mtest1/doctest1
getfacl: Removing leading '/' from absolute path names
# file: srv/mtest1/doctest1
# owner: rowland
# group: domain\040users
user::rwx
user:domain\040users:r-x
group::r-x
group:domain\040users:r-x
group:rowland:rwx
mask::rwx
other::r-x
There must be some difference between your machines and mine, but I do
not know what.
Rowland
More information about the samba
mailing list