Shared Folder ACL applied to a group sometimes not respected

giacomo · January 5, 2017, 8:04am

That’s odd: with the -n flag, the setfacl command should not change the permissions.

If you need a quick fix, just execute:

chmod 2770 /var/lib/nethserver/ibay/share3/

dnutan · January 5, 2017, 1:10pm

The quick fix works on this test machine, but the user loses access to the share as soon as a change is applied to the ibay settings (unless the quick fix is run again afterwards).

davidep · January 10, 2017, 12:09pm

There is a package in nethserver-testing

yum --enablerepo=nethserver-testing update nethserver-ibays-3.0.2-1.2.g5bfb5ac.ns7.noarch

This is the proposed bugfix:

robb · January 10, 2017, 2:12pm

I still have problems with using shares. After installing the proposed patch, I still can’t access a share with a user that is member of the owning group:
[root@hs001 ~]# getfacl /var/lib/nethserver/ibay/algemeen
getfacl: Removing leading ‘/’ from absolute path names
# file: var/lib/nethserver/ibay/algemeen
# owner: administrator@interlin.lan
# group: algemeen@interlin.lan
# flags: -s-
user::rwx
group::rwx
other::—

[root@hs001 ~]# smbclient //hs001/algemeen -U rob -W LOCAL
Enter rob's password: 
Domain=[INTERLIN] OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_ACCESS_DENIED

[root@hs001 ~]# stat /var/lib/nethserver/ibay/algemeen/
  File: ‘/var/lib/nethserver/ibay/algemeen/’
  Size: 912       	Blocks: 0          IO Block: 4096   directory
Device: 2dh/45d	Inode: 1827        Links: 1
Access: (2770/drwxrws---)  Uid: (1810800500/administrator@interlin.lan)   Gid: (1810801111/algemeen@interlin.lan)
Access: 2017-01-10 03:35:04.428707273 +0100
Modify: 2016-12-31 15:59:02.938114937 +0100
Change: 2017-01-10 15:14:45.480874817 +0100
 Birth: -

davidep · January 10, 2017, 3:08pm

The fix works for new shared folders. For existing ones, try with “Reset permissions” action on each of them.

Shared Folders > (Actions column on each item) > Reset Permssions

Otherwise

Shared Folders > Edit item > Reset Permssions

davidep · January 10, 2017, 3:29pm

Change

smbclient //hs001/algemeen -U rob -W INTERLIN

It’s a login issue

robb · January 10, 2017, 3:50pm

The account credentials are ok because I can login with those credentials through SSH fine

robb@E540:~$ ssh rob@hs001.interlin.lan
rob@hs001.interlin.lan's password: 
Last login: Wed Jan  4 13:08:08 2017 from e540.interlin.lan

************ Welcome to NethServer ************

This is a NethServer installation. 

Before editing configuration files, be aware 
of the automatic events and templates system.


          http://docs.nethserver.org

***********************************************
[rob@interlin.lan@hs001 ~]$

When connecting through cmdline to the share I do get an smb:/> prompt:
[root@hs001 ~]# smbclient //hs001/algemeen -U rob -W INTERLIN
Enter rob’s password:
Domain=[INTERLIN] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: >

But the account seems to have no rights on the share because when I try to do an ls i get:
smb: > ls
NT_STATUS_ACCESS_DENIED listing *
smb: >

This should not be the case since the account is member of the owning group of the share so it looks like it is not a login issue, it’s a permissions issue. And this was the problem in the first place…

davidep · January 10, 2017, 9:23pm

Let’s verify it

id rob@interlin.lan
id rob

robb · January 10, 2017, 9:41pm

[root@hs001 ~]# id rob@interlin.lan
uid=1810801105(rob@interlin.lan) gid=1810800513(domain users@interlin.lan) groups=1810800513(domain users@interlin.lan),1810800512(domain admins@interlin.lan),1810801117(test@interlin.lan),1810801111(algemeen@interlin.lan),1810801112(muziek@interlin.lan),1810801113(films@interlin.lan),1810801116(fotos@interlin.lan),1810801114(renm@interlin.lan),1810800572(denied rodc password replication group@interlin.lan)

[root@hs001 ~]# id rob
uid=1810801105(rob@interlin.lan) gid=1810800513(domain users@interlin.lan) groups=1810800513(domain users@interlin.lan),1810800512(domain admins@interlin.lan),1810801117(test@interlin.lan),1810801111(algemeen@interlin.lan),1810801112(muziek@interlin.lan),1810801113(films@interlin.lan),1810801116(fotos@interlin.lan),1810801114(renm@interlin.lan),1810800572(denied rodc password replication group@interlin.lan)

davidep · January 10, 2017, 9:58pm

OK it’s a permissions issue, at least the error message says that. But I think it’s not the same issue reported by dnutan.

Can you reproduce it in an isolated environment or direct me with some steps?

robb · January 10, 2017, 10:02pm

I installed 7RC3, did all updates, installed Samba4 DC, configured Samba4 DC. Then installed Fileserver module.
I created users, groups and shares. And the only way to access a share is by CHOWN the directory to a user. Then I can access the share with that user. The whole group permission is “not working”

I have a 2nd physical server that I am installing now and will install the same modules. Before creating the shares I will apply the patch you released in testing today. I will report back if I have a different outcome.

/edit: first test worked fine: I tried to access the share through Nautilus: used credentials of a member of the owning group and I could access the share and browse the subdirectories. I don’t know what went wrong in the previous install. I still have my own server with the ‘bogus’ permissions. Is it worth it to keep troubleshooting this or shall I reinstall that one too?

dnutan · January 10, 2017, 10:29pm

It works better with the testing package. Tested assigning ACL to a user, to a group of users, and to a group of users and (sub)groups …but there seem to be some corner cases when comparing these actions:

Allowing write permissions to owning group + read-only ACL to a user of that group = user cannot write
Allowing write permissions to owning group (Domain Users) + read-only ACL to a domain user = user cannot write
Allowing write permissions to owning group (Domain Users) + read-only ACL to a group which holds a domain user as a member = user can write

Other notes (just for the record):

ACL entries without assignments are removed from the list.
Subdirectories retain previous permissions (unless reset permissions button is used).

davidep · January 10, 2017, 10:40pm

We should compare them with POSIX ACL semantics. What you report seems compatible with these rules:

user ACL overrides group ones
owner group overrides ACL group entry

What you report here is the expected behavior. Do you see any possible enhancement?

dnutan · January 10, 2017, 10:47pm

Thanks, I didn’t know.

About the other notes (just a reminder) I think it’s ok.

davidep · January 10, 2017, 10:48pm

If possible, reinstall. Bugs must be reproducible, otherwise they can’t be fixed, or are not bug at all

davidep · January 10, 2017, 10:50pm

Me too

I was guessing…

giacomo · January 12, 2017, 10:39am

The issue is solved but i still have some concerns about the use of ACLs.

Basically ACLs should be used only to handle very special cases, but I see that many Windows system administrators are used to always set the ACL over shared folder.

I was wondering: should we add a clarification inside the administrator manual with a usage scenario?

( Relevant page: http://docs.nethserver.org/en/v7rc/shared_folder.html )

davidep · January 12, 2017, 10:45pm

A post was split to a new topic: Web-proxy is interfering with the samba fileserver

Paul_Fisher · March 22, 2018, 3:35pm

This worked for me

davidep · April 18, 2018, 3:40pm

Was fixed here