That’s odd: with the -n
flag, the setfacl command should not change the permissions.
If you need a quick fix, just execute:
chmod 2770 /var/lib/nethserver/ibay/share3/
That’s odd: with the -n
flag, the setfacl command should not change the permissions.
If you need a quick fix, just execute:
chmod 2770 /var/lib/nethserver/ibay/share3/
The quick fix works on this test machine, but the user loses access to the share as soon as a change is applied to the ibay settings (unless the quick fix is run again afterwards).
There is a package in nethserver-testing
yum --enablerepo=nethserver-testing update nethserver-ibays-3.0.2-1.2.g5bfb5ac.ns7.noarch
This is the proposed bugfix:
I still have problems with using shares. After installing the proposed patch, I still can’t access a share with a user that is member of the owning group:
[root@hs001 ~]# getfacl /var/lib/nethserver/ibay/algemeen
getfacl: Removing leading ‘/’ from absolute path names
# file: var/lib/nethserver/ibay/algemeen
# owner: administrator@interlin.lan
# group: algemeen@interlin.lan
# flags: -s-
user::rwx
group::rwx
other::—
[root@hs001 ~]# smbclient //hs001/algemeen -U rob -W LOCAL
Enter rob's password:
Domain=[INTERLIN] OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@hs001 ~]# stat /var/lib/nethserver/ibay/algemeen/
File: ‘/var/lib/nethserver/ibay/algemeen/’
Size: 912 Blocks: 0 IO Block: 4096 directory
Device: 2dh/45d Inode: 1827 Links: 1
Access: (2770/drwxrws---) Uid: (1810800500/administrator@interlin.lan) Gid: (1810801111/algemeen@interlin.lan)
Access: 2017-01-10 03:35:04.428707273 +0100
Modify: 2016-12-31 15:59:02.938114937 +0100
Change: 2017-01-10 15:14:45.480874817 +0100
Birth: -
The fix works for new shared folders. For existing ones, try with “Reset permissions” action on each of them.
Shared Folders > (Actions column on each item) > Reset Permssions
Otherwise
Shared Folders > Edit item > Reset Permssions
Change
smbclient //hs001/algemeen -U rob -W INTERLIN
It’s a login issue
The account credentials are ok because I can login with those credentials through SSH fine
robb@E540:~$ ssh rob@hs001.interlin.lan
rob@hs001.interlin.lan's password:
Last login: Wed Jan 4 13:08:08 2017 from e540.interlin.lan
************ Welcome to NethServer ************
This is a NethServer installation.
Before editing configuration files, be aware
of the automatic events and templates system.
http://docs.nethserver.org
***********************************************
[rob@interlin.lan@hs001 ~]$
When connecting through cmdline to the share I do get an smb:/> prompt:
[root@hs001 ~]# smbclient //hs001/algemeen -U rob -W INTERLIN
Enter rob’s password:
Domain=[INTERLIN] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: >
But the account seems to have no rights on the share because when I try to do an ls i get:
smb: > ls
NT_STATUS_ACCESS_DENIED listing *
smb: >
This should not be the case since the account is member of the owning group of the share so it looks like it is not a login issue, it’s a permissions issue. And this was the problem in the first place…
Let’s verify it
id rob@interlin.lan
id rob
[root@hs001 ~]# id rob@interlin.lan
uid=1810801105(rob@interlin.lan) gid=1810800513(domain users@interlin.lan) groups=1810800513(domain users@interlin.lan),1810800512(domain admins@interlin.lan),1810801117(test@interlin.lan),1810801111(algemeen@interlin.lan),1810801112(muziek@interlin.lan),1810801113(films@interlin.lan),1810801116(fotos@interlin.lan),1810801114(renm@interlin.lan),1810800572(denied rodc password replication group@interlin.lan)
[root@hs001 ~]# id rob
uid=1810801105(rob@interlin.lan) gid=1810800513(domain users@interlin.lan) groups=1810800513(domain users@interlin.lan),1810800512(domain admins@interlin.lan),1810801117(test@interlin.lan),1810801111(algemeen@interlin.lan),1810801112(muziek@interlin.lan),1810801113(films@interlin.lan),1810801116(fotos@interlin.lan),1810801114(renm@interlin.lan),1810800572(denied rodc password replication group@interlin.lan)
OK it’s a permissions issue, at least the error message says that. But I think it’s not the same issue reported by dnutan.
Can you reproduce it in an isolated environment or direct me with some steps?
I installed 7RC3, did all updates, installed Samba4 DC, configured Samba4 DC. Then installed Fileserver module.
I created users, groups and shares. And the only way to access a share is by CHOWN the directory to a user. Then I can access the share with that user. The whole group permission is “not working”
I have a 2nd physical server that I am installing now and will install the same modules. Before creating the shares I will apply the patch you released in testing today. I will report back if I have a different outcome.
/edit: first test worked fine: I tried to access the share through Nautilus: used credentials of a member of the owning group and I could access the share and browse the subdirectories. I don’t know what went wrong in the previous install. I still have my own server with the ‘bogus’ permissions. Is it worth it to keep troubleshooting this or shall I reinstall that one too?
It works better with the testing package. Tested assigning ACL to a user, to a group of users, and to a group of users and (sub)groups …but there seem to be some corner cases when comparing these actions:
Other notes (just for the record):
We should compare them with POSIX ACL semantics. What you report seems compatible with these rules:
What you report here is the expected behavior. Do you see any possible enhancement?
Thanks, I didn’t know.
About the other notes (just a reminder) I think it’s ok.
If possible, reinstall. Bugs must be reproducible, otherwise they can’t be fixed, or are not bug at all
Me too
I was guessing…
The issue is solved but i still have some concerns about the use of ACLs.
Basically ACLs should be used only to handle very special cases, but I see that many Windows system administrators are used to always set the ACL over shared folder.
I was wondering: should we add a clarification inside the administrator manual with a usage scenario?
( Relevant page: http://docs.nethserver.org/en/v7rc/shared_folder.html )
This worked for me
Was fixed here