Hi there, I’ve been trying to get my head around a problem I have with Samba. I’ve set up Samba 3.6.13 on a Raspberry Pi with Arch Linux ARM on it and let it serve a couple of folders from an attached external ext4 drive mounted to /srv/cifs (of course with the "acl" option enabled).
I’ve been trying to create a share that is read-writable for all members of a particular UNIX user group (named "share"), but nobody else (with the directory being at /srv/cifs/share), i.e. it has permissions rwxrwx--- owner "root", group "share". Everything (recursively) inside the /srv/cifs/share directory should always be read-writable for anyone in the "share" group. People easily forget about setting rights themselves correctly for each file they create, hence I wanted to modify the default ACLs for the /srv/cifs/share directory to always allow members of group "share" to be able to read and write all files inside that directory. The permissions I set on the directory are as follows: -------------------------------------------------------------- % ls -l drwxrws---+ 2 root share 4096 26. Mär 14:24 share % getfacl share # file: share # owner: root # group: share # flags: -s- user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:share:rwx default:mask::rwx default:other::--- -------------------------------------------------------------- I’ve set the setgid bit so that additionally to the permissions the group itself is correctly applied to new files as well. The default ACL entries as far as I see grant all members of group "share" read and write access, but deny it to anybody else. My username on that system is "quintus", and I’m member of group "share". I can easily create a new file in the /srv/cifs/share directory and it gets the permissions I expect from it: -------------------------------------------------------------- (410) [14:54:55 quintus@avalon] /srv/cifs/share % touch test (411) [14:54:59 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 root share 4,0K 26. Mär 14:54 . drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 .. -rw-rw----+ 1 quintus share 0 26. Mär 14:54 test (412) [14:55:01 quintus@avalon] /srv/cifs/share % getfacl test # file: test # owner: quintus # group: share user::rw- group::rwx #effective:rw- group:share:rwx #effective:rw- mask::rw- other::--- -------------------------------------------------------------- That is, the file "test" belongs to "quintus" and group "share", where the "share" group automatically has write permissions on the file. Now I try the same via samba. That is, on another system I mount the CIFS share to /mnt like this ("avalon" is the Raspberry Pi): % sudo mount //avalon/share -t cifs -o user=quintus,uid=quintus /mnt It asks for my password and then correctly mounts the directory to /mnt. As I don’t want my local "root" user being mapped to the "quintus" user on the remote machine so that I have to use "sudo" for everything I instruct mount to give it to the "quintus" user (me) instead (yes, my username is "quintus" on both machines). This works fine. Here’s what I get when inspecting this directory from the local machine ("hades"): -------------------------------------------------------------- (1046) [15:04:03 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 quintus 1002 0 Mar 26 14:54 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw----+ 1 quintus 1002 0 Mar 26 14:54 test (1047) [15:04:04 quintus@hades] /mnt % getfacl test # file: test # owner: quintus # group: 1002 user::rw- group::rwx #effective:rw- group:1002:rwx #effective:rw- mask::rw- other::--- -------------------------------------------------------------- Again, as expected. I don’t have that GID on my local machine (hence it shows up as numeric), but as far as I understand Samba automatically maps this correctly when I create new files. Now I create a new file from the local machine: -------------------------------------------------------------- (1048) [15:04:10 quintus@hades] /mnt % touch test2 (1049) [15:04:41 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 quintus 1002 0 Mar 26 15:04 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw----+ 1 quintus 1002 0 Mar 26 14:54 test -rw-r-----+ 1 quintus 1002 0 Mar 26 15:04 test2 (1050) [15:04:45 quintus@hades] /mnt % getfacl test2 # file: test2 # owner: quintus # group: 1002 user::rw- group::rwx #effective:r-- group:1002:rwx #effective:r-- mask::r-- other::--- -------------------------------------------------------------- WTF? Where did the write access for the group go? Why do I have this "#effective" line and how does it get calculated? And why is the "mask" parameter different from creating the file locally on the server? To verify, I _am_ in the "share" group: (419) [15:08:01 quintus@avalon] /srv/cifs/share % grep share /etc/group share:x:1002:quintus The [global] section of my /etc/samba/smb.conf looks like this (yes I really use 10.37.0.0/16 for network addresses, but this is another story (I experimented with it to better understand networking) and I will reset this to something in the 192.168. area when I have more time): -------------------------------------------------------------- [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH workgroup = WORKGROUP # server string is the equivalent of the NT Description field server string = My CIFS Server # Security mode. Defines in which mode Samba will operate. Possible # values are share, user, server, domain and ads. Most people will want # user level security. See the Samba-HOWTO-Collection for details. security = user # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page ; hosts allow = 192.168.1. 192.168.2. 127. hosts allow = 10.37. 127. # There ain’t no printers in here! load printers = no printcap name = /dev/null # Set log level to INFO. log level = 2 -------------------------------------------------------------- The share definition looks like this: -------------------------------------------------------------- [share] comment = Private share path = /srv/cifs/share public = no writable = yes printable = no valid users = +share -------------------------------------------------------------- I’ve experimented with setting a number of other settings like "inherit acls", but this didn’t change the result shown above. I’ve been struggling with this the entire past day and was near to writing a Cronjob that just resets the permissions every quarter of an hour or so but I feel this is just the wrong way to do it and I want to do this properly. How can I achieve this automatic setting of permissions? Valete, Marvin -- Blog: http://pegasus-alpha.eu/blog ASCII-Ribbon-Kampagne () | ASCII Ribbon Campaign () - Stoppt HTML-E-Mail /\ | - Against HTML E-Mail /\ - Stoppt proprietäre Anhänge | - Against proprietary attachments www.asciiribbon.org/index-de.html | www.asciiribbon.org
signature.asc
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba