|
Basic Samba+ACL set-up doesn't work
Hello!
I'm running samba 3.2.3 on my Ubuntu 8.10 server installation. I'm trying to use ACL in order to get extended user permission administration, but cannot make it work. My samba shares are on a ext3 partition, and i have enabled ACL in fstab. setting and getting ACL permissions on my files directly works like a charm. But when my users try to access files via samba they cannot access their files even though ACL permissions on the files are set to give them full access. first of all how can I check wheter ACL is indeed enabled in my samba installation? "smbd -b | grep -i acl" yields: HAVE_SYS_ACL_H HAVE_ACL_LIBACL_H HAVE_POSIX_ACLS pdb_ldap pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2 rpc_netlogon rpc_netdfs rp c_srvsvc rpc_spoolss rpc_eventlog2 rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin vfs_default vfs_posixacl Is that ok? My server is nowhere near a domain in any way. I've tried any combinations of the following settings on my shares without success: nt acl support = yes inherit acls = yes acl map full control = yes Am I missing some additional settings to enable ACL on my shares? Normal samba access works fine...e.g. by specifying "valid users = xxx,yyy" in my samba config. But I expect that this setting is not required if i wish to simply make samba obey ACL permissions? Regards //Klaus |
Please post the definition for the share. Also post the permissions used to create the directory you are sharing.
Is this a share that more than one user can access? If so you want to use the permissions created with "chmod a=rwxt <directory>". If users can't access their own files either they aren't authenticated and the ownership of the file is "guest" in windows and "nobody" in linux, or permissions are denied because "others" don't have rwx access. The "t" bit is the sticky bit which prevents one user from deleting another user's file. Deleting a file modifies the directory & not the file itself, which is why the sticky bit on directories is used to protect the files in the directory. |
he permissions on the shared folder are:
khj@NAS:/shares$ getfacl pictures/ # file: pictures/ # owner: khj # group: sambashare user::rwx user:rmj:rwx group::rwx mask::rwx other::--- default:user::rwx default:user:rmj:rwx default:group::rwx default:mask::rwx default:other::--- the share is configured the following way in smd.conf [pictures] path = /shares/pictures comment = pictures read only = no valid users = rmj,khj create mask = 0660 directory mask = 0770 force create mode = 0660 force directory mode = 0770 nt acl support = yes inherit acls = yes acl map full control = yes The user rmj can see and access the share itself. I have a test file inside the share (the test user rmj, is not a member of the group to which the test file belongs). If i configure the test file with u:rmj:rwx and read only = yes in smb.conf the rmj user cannot alter the file. If i remove the ACL permissions for the user rmj but have read only = no in smb.conf the rmj user CAN alter the file. So it seems that the ACL permissions have no effect, only "read only" in smb.conf is respected by samba. regards Klaus |
I played around with setacl because I hadn't used the -d option much before.
Running "setfacl -d --set=u:testuser:rwx /logs" didn't allow testuser to write a file in /logs. I created it as a test with jschiwal.jschiwal ownership and rwxrwxr-x permissions. I found that I needed to also use: setfacl -m u:testuser:rwx /logs to give the "testuser" user permission to write to the directory. In other words, the default acl will tack on permissions to files created in the directory, but you need to explicitly use "setfacl -m u:<user>:<permissions>" on the directory to allow write permissions to another user. One other thing. Make sure that the second user has read/execute access to the /share/ directory to be able to access the /share/pictures/ directory. You may want to create the /share/ directory with the same permissions as any system directory, e.g. root.root ownership with rwxrwxr-x permissions. --- You might want to consider using either a=rwxt permissions on the /share/pictures directory and use samba controls to control who can write to the directory. Then each user can determine whether another user can write to a file. Another thing to consider is using ug=rwx permissions, and "setfacl --set=u:rmj:rwx /share/pictures" so that each of the two users has access to the directory. Setting rmj as the default user will mean any file created by khj will have rmj's permissions added on but not vice-versa. In my example, if a created a file as user jschiwal, testuser would have facl permissions added. If testuser creates the file, only testuser has permissions on the file. The owner of the directory only has delete permissions on the file (editing in a read/delete/write cycle may seem like write permissions but aren't). |
Thank you for the response.
I have had some of the same considerations as you mention. Quote:
Quote:
Quote:
Quote:
So on a system level i think i know how acl permissions work, I simply cannot make samba "obey" these acl permissions. regards Klaus |
I've been digging a little deeper.
My set-up is: share directory /shares/pictures test file /shares/pictures/myfile "nt acl support = yes" on the share for /shares/pictures If I grant a user acl permissions directly on the file it has no impact what so ever. But if I grant the user acl permissions to the /shares/pictures directory i can control access....also for the file Examples u:xxx:rwx on /shares/pictures mean that the user can read and change the file /shares/pictures/myfile disregarding the permissions on myfile u:xxx:r-x on /shares/pictures mean that the user can read but not change the file /shares/pictures/myfile disregarding the permissions on myfile u:xxx:--- on /shares/pictures mean that the user cannot access the directory Is that simply the way ACLs in samba works or is something completely wrong with me or my system. I would expect to be able to control access wiith ACL on a file level not on a share/directory level. Regards Klaus |
Quote:
As an aside, shares meant for mass storage probably should be mounted on their own partition and the "noexec", "nodev" options should be used. This only stops a little, but is standard practice. Especially if a user mistakenly (or stupidly on purpose) has the current directory in their path. Another evil user could in this case create an evil "ls" or "cd" wrapper which good user might run while in the directory. --- Could you post the permissions from "ls -l" and getfacl. At first the directory was owned by khj, and now by root. I'd like to get the correct current infomation. Also the permissions of the /shares directory. If shares is root.root & rwxrwx---, then a user may not get access to files inside /shares/pictures/ regardless of the permissions of the files. --- Try to verify that each user, kjh & rmj can access files as you want on the server directly before looking at Samba. --- If you post back, for convenience, please post results inside code blocks to make them more readable, and disable smilies. Thanks. |
ahhhhh...noob alert!
I finally solved it. Your comment below triggered me to start from scratch: Quote:
The thing that I had missed is that rwx permissions on the dir gives the user permissions to rename files they do not own or have permissions for. Whenever I tested various file permissions i tested it by renaming the test file, which every time went ok because the test user had rwx permissions on the directory. What i did not try was simply reading/executing the file. So everything is OK after all. I guess I just have to read up on some of the basic linux file permission stuff. Thank you jschiwal for keeping the good advice coming. Regards Klaus |
| All times are GMT -5. The time now is 05:03 PM. |