dnutan
December 20, 2016, 5:45pm
1
Something that’s puzzling me with ACLs on shared folders, and hard to reproduce depending on the order of the steps taken.
IIRC this was on a VM with a clean NS7 RC3 with nethserver-dc, file server
Create a user
Create a group
Add user to group
Create share (Owning group=domain users, Allow write permission to owning group, Guest access=none, Browsable; Set Read ACL for the group)
[root@test1 ~]# getfacl /var/lib/nethserver/ibay/sharingiscaring/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/sharingiscaring/
# owner: administrator@local.neth.eu
# group: domain\040users@local.neth.eu
# flags: -s-
user::rwx
group::rwx
group:cuisine@local.neth.eu:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:cuisine@local.neth.eu:r-x
default:mask::rwx
default:other::---Result - user can write to the share:
~ $ smbclient //TEST1/sharingiscaring -U user2 -W LOCAL
Enter user2's password:
Domain=[LOCAL] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \> mkdir 0Uncheck the Allow write permission to owning group checkbox.Result - user can read but cannot write:
~ $ smbclient //TEST1/sharingiscaring -U user2 -W LOCAL
Enter user2's password:
Domain=[LOCAL] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \> mkdir 1
NT_STATUS_ACCESS_DENIED making remote directory \1Recheck the Allow write permission to owning group checkbox.
[root@test1 ~]# getfacl /var/lib/nethserver/ibay/sharingiscaring/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/sharingiscaring/
# owner: administrator@local.neth.eu
# group: domain\040users@local.neth.eu
# flags: -s-
user::rwx
group::r-x
group:cuisine@local.neth.eu:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:cuisine@local.neth.eu:r-x
default:mask::r-x
default:other::---Result - user can read but cannot write:
~ $ smbclient //TEST1/sharingiscaring -U user2 -W LOCAL
Enter user2's password:
Domain=[LOCAL] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \> mkdir 1
NT_STATUS_ACCESS_DENIED making remote directory \1
davidep
December 21, 2016, 8:15am
2
This is not a support request #bug .
giacomo
January 4, 2017, 9:56am
3
I opened the official bug:
Marc, if you have some spare time, can you please try my proposed patch?
2 Likes
robb
January 4, 2017, 1:12pm
5
I applied the patch by editing the nethserver-ibays-set-permissions file as proposed (adding the -n flag) but I still couldn’t access a share with a user.
giacomo
January 4, 2017, 2:56pm
6
You need to modify the share from the gui (eg. change the description) and save.
signal-event ibay-modify share2
dnutan
January 4, 2017, 3:54pm
7
The issue remains:
Create a user
Create a group
Add user to group
Create share (Owning group=domain users, Allow write permission to owning group, Guest access=none, Browsable; Set Read ACL for the group)
[root@test1 ~]# getfacl /var/lib/nethserver/ibay/share3/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share3/
# owner: administrator@local.neth.eu
# group: domain\040users@local.neth.eu
# flags: -s-
user::rwx
group::rwx
group:group3@local.neth.eu:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:group3@local.neth.eu:r-x
default:mask::rwx
default:other::--- ~ $ smbclient //TEST1/share3 -U user3 -W LOCAL
Enter user3's password:
Domain=[LOCAL] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \> mkdir dir1Uncheck the Allow write permission to owning group checkbox.
[root@test1 ~]# getfacl /var/lib/nethserver/ibay/share3/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share3/
# owner: administrator@local.neth.eu
# group: domain\040users@local.neth.eu
# flags: -s-
user::rwx
group::r-x
group:group3@local.neth.eu:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:group3@local.neth.eu:r-x
default:mask::r-x
default:other::--- ~ $ smbclient //TEST1/share3 -U user3 -W LOCAL
Enter user3's password:
Domain=[LOCAL] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \> mkdir dir2
NT_STATUS_ACCESS_DENIED making remote directory \dir2Recheck the Allow write permission to owning group checkbox.
[root@test1 ~]# getfacl /var/lib/nethserver/ibay/share3/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share3/
# owner: administrator@local.neth.eu
# group: domain\040users@local.neth.eu
# flags: -s-
user::rwx
group::r-x
group:group3@local.neth.eu:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:group3@local.neth.eu:r-x
default:mask::r-x
default:other::--- ~ $ smbclient //TEST1/share3 -U user3 -W LOCAL
Enter user3's password:
Domain=[LOCAL] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \> mkdir dir2
NT_STATUS_ACCESS_DENIED making remote directory \dir2Check write checkbox for ACL group
[root@test1 ~]# getfacl /var/lib/nethserver/ibay/share3/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/share3/
# owner: administrator@local.neth.eu
# group: domain\040users@local.neth.eu
# flags: -s-
user::rwx
group::r-x
group:group3@local.neth.eu:rwx #effective:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:group3@local.neth.eu:rwx #effective:r-x
default:mask::r-x
default:other::--- ~ $ smbclient //TEST1/share3 -U user3 -W LOCAL
Enter user3's password:
Domain=[LOCAL] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \> mkdir dir2
NT_STATUS_ACCESS_DENIED making remote directory \dir2
giacomo
January 4, 2017, 4:00pm
8
Honestly I’m not good enough to dig more on that code, I will wait Davide for it
In the meanwhile, could you please post also the output of:
stat /var/lib/nethserver/ibay/share3/
dnutan
January 4, 2017, 7:33pm
9
[root@test1 ~]# stat /var/lib/nethserver/ibay/share3/
File: ‘/var/lib/nethserver/ibay/share3/’
Size: 18 Blocks: 0 IO Block: 4096 directory
Device: fd00h/64768d Inode: 16893649 Links: 3
Access: (2750/drwxr-s---) Uid: (1014400500/ UNKNOWN) Gid: (1014400513/ UNKNOWN)
Access: 2017-01-04 16:29:28.836147554 +0100
Modify: 2017-01-04 16:26:12.749283870 +0100
Change: 2017-01-04 16:28:56.037627648 +0100
Birth: -
giacomo
January 5, 2017, 8:04am
10
That’s odd: with the -n flag, the setfacl command should not change the permissions.
If you need a quick fix, just execute:
chmod 2770 /var/lib/nethserver/ibay/share3/
dnutan
January 5, 2017, 1:10pm
11
The quick fix works on this test machine, but the user loses access to the share as soon as a change is applied to the ibay settings (unless the quick fix is run again afterwards).
1 Like
davidep
January 10, 2017, 12:09pm
12
There is a package in nethserver-testing
yum --enablerepo=nethserver-testing update nethserver-ibays-3.0.2-1.2.g5bfb5ac.ns7.noarch
This is the proposed bugfix:
robb
January 10, 2017, 2:12pm
13
I still have problems with using shares. After installing the proposed patch, I still can’t access a share with a user that is member of the owning group:
[root@hs001 ~]# smbclient //hs001/algemeen -U rob -W LOCAL
Enter rob's password:
Domain=[INTERLIN] OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@hs001 ~]# stat /var/lib/nethserver/ibay/algemeen/
File: ‘/var/lib/nethserver/ibay/algemeen/’
Size: 912 Blocks: 0 IO Block: 4096 directory
Device: 2dh/45d Inode: 1827 Links: 1
Access: (2770/drwxrws---) Uid: (1810800500/administrator@interlin.lan) Gid: (1810801111/algemeen@interlin.lan)
Access: 2017-01-10 03:35:04.428707273 +0100
Modify: 2016-12-31 15:59:02.938114937 +0100
Change: 2017-01-10 15:14:45.480874817 +0100
Birth: -
davidep
January 10, 2017, 3:08pm
14
The fix works for new shared folders. For existing ones, try with “Reset permissions” action on each of them.
Shared Folders > (Actions column on each item) > Reset Permssions
Otherwise
Shared Folders > Edit item > Reset Permssions
1 Like
davidep
January 10, 2017, 3:29pm
15
Change
smbclient //hs001/algemeen -U rob -W INTERLIN
It’s a login issue
robb
January 10, 2017, 3:50pm
16
The account credentials are ok because I can login with those credentials through SSH fine
robb@E540:~$ ssh rob@hs001.interlin.lan
rob@hs001.interlin.lan's password:
Last login: Wed Jan 4 13:08:08 2017 from e540.interlin.lan
************ Welcome to NethServer ************
This is a NethServer installation.
Before editing configuration files, be aware
of the automatic events and templates system.
http://docs.nethserver.org
***********************************************
[rob@interlin.lan@hs001 ~]$
When connecting through cmdline to the share I do get an smb:/> prompt:
But the account seems to have no rights on the share because when I try to do an ls i get:
This should not be the case since the account is member of the owning group of the share so it looks like it is not a login issue, it’s a permissions issue. And this was the problem in the first place…
davidep
January 10, 2017, 9:23pm
17
Let’s verify it
id rob@interlin.lan
id rob
robb
January 10, 2017, 9:41pm
18
davidep:
id rob@interlin.lan
[root@hs001 ~]# id rob@interlin.lan1810801111(algemeen@interlin.lan) ,1810801112(muziek@interlin.lan),1810801113(films@interlin.lan),1810801116(fotos@interlin.lan),1810801114(renm@interlin.lan),1810800572(denied rodc password replication group@interlin.lan)
davidep:
id rob
[root@hs001 ~]# id rob1810801111(algemeen@interlin.lan) ,1810801112(muziek@interlin.lan),1810801113(films@interlin.lan),1810801116(fotos@interlin.lan),1810801114(renm@interlin.lan),1810800572(denied rodc password replication group@interlin.lan)
davidep
January 10, 2017, 9:58pm
19
OK it’s a permissions issue, at least the error message says that. But I think it’s not the same issue reported by dnutan.
Can you reproduce it in an isolated environment or direct me with some steps?
robb
January 10, 2017, 10:02pm
20
I installed 7RC3, did all updates, installed Samba4 DC, configured Samba4 DC. Then installed Fileserver module.
I have a 2nd physical server that I am installing now and will install the same modules. Before creating the shares I will apply the patch you released in testing today. I will report back if I have a different outcome.
/edit: first test worked fine: I tried to access the share through Nautilus: used credentials of a member of the owning group and I could access the share and browse the subdirectories. I don’t know what went wrong in the previous install. I still have my own server with the ‘bogus’ permissions. Is it worth it to keep troubleshooting this or shall I reinstall that one too?
1 Like
I’ll try to reproduce this 
