Samba file permissions problem

From ImageWeb

Jump to: navigation, search

Contents

Samba files created without owner read access

Background

We are trying to create a file system that can be accessed for read and write via CIFS and HTTP using the same user credentials.

We are using Ubuntu Linux with an Apache server with WebDAV to handle HTTP access, Samba to handle CIFS access, and the underlying local file system is EXT3 with ACLs used to configure the file access permissions. (We also use LDAP for authentication and authorization data.)

The problem we are seeing is that in some circumstances, files created via Samba are given access permissions that deny read access to the file owner.

Test environment setup

The server is Ubuntu 9.10 with the following packages installed: apache2, samba, slapd, ldap-utils, smbldap-tools, lvm2, acl, and others.

Samba version is 3.4.0 (installed via apt-get from Ubuntu standard repositories)

The target system is a fairly basic system created using the vmbuilder tool.

On the target server system, created a group called 'RGMember', and user 'TestUser1' is a member of this group.

Created a directory for the test group members to share and work on the same files. 

 mkdir -p /home/data/common

Changed the ownership of the shared directory to www-data 

 chown www-data:www-data /home/data/common

Gave all the test group members read/write permissions into this area both through the filesystem and through the acls. 

 chmod --recursive u=rwx,g=rws,o= /home/data/common/
 setfacl --recursive -m g:RGMember:rwx /home/data/common
 setfacl --recursive -m u:www-data:rwx /home/data/common
 getfacl --access /home/data/common | setfacl --recursive -d -M- /home/data/common

More details from individual configuration files are given later.

Test procedure

Direct local file system access

Log on as TestUser1 through ssh.

Create a file in the 'common' directory: 

TestUser1@zoo-admiral-ibrg:/home/data/common$ echo "Test file" > Temp1.txt
TestUser1@zoo-admiral-ibrg:/home/data/common$ ls -al
total 16
drwxrws---+ 2 www-data  www-data 4096 2011-03-01 11:42 .
drwxrwsr-x  6 www-data  RGMember 4096 2011-02-28 14:31 ..
-rw-rw----+ 1 TestUser1 www-data   10 2011-03-01 11:42 Temp1.txt
TestUser1@zoo-admiral-ibrg:/home/data/common$ getfacl Temp1.txt 
# file: Temp1.txt
# owner: TestUser1
# group: www-data
user::rw-
user:www-data:rwx		#effective:rw-
group::rw-
group:RGMember:rwx		#effective:rw-
mask::rw-
other::---

The permissions and ACLs here are as expected.

Remote HTTPS/WedDAV access

Creating a file via HTTPS/WebDAV works as expected: any group member of the group 'RGMember' is able to read/write in the common area.

Remote CIFS access

Mount filesystem on another machine using CIFS using a username and password: 

 mount.cifs //zoo-admiral-ibrg.zoo.ox.ac.uk/data/common/ mountpoint -o rw,user=TestUser1,password=****,nounix,forcedirectio

Copy a file into the 'common' directory on the mounted CIFS file system: 

 cp Test2.txt ./mountadmiral/test2.txt

On the target server, we see the new file gets created as shown: 

TestUser1@zoo-admiral-ibrg:/home/data/common$ ls -al
total 20
drwxrws---+ 2 www-data  www-data 4096 2011-03-01 11:51 .
drwxrwsr-x  6 www-data  RGMember 4096 2011-02-28 14:31 ..
-rw-rw----+ 1 TestUser1 www-data   10 2011-03-01 11:42 Temp1.txt
--wxrwx---+ 1 TestUser1 www-data   10 2011-03-01 11:51 test2.txt
TestUser1@zoo-admiral-ibrg:/home/data/common$ getfacl test2.txt 
# file: test2.txt
# owner: TestUser1
# group: www-data
user::-wx
user:www-data:rwx
group::rw-
group:RGMember:rwx
mask::rwx
other::---

This is not created as expected. The lack of owner read permission means that a read by the owner of the file (TestUser1) fails.

Problem summary

Under the circumstances described above, files created via Samba are not accessible by the creator. This does not happen in every situation. For example, files created in other directories via Samba get created with correct permissions. We have tried changing the ownership and ACLs on the /home/data/common directory to match those on directories that work OK, but the problem persists.

Related issues were discussed under the following links, and many more, but we have not been able to isolate a solution to our problem:-

So we are left wondering if anyone else has seen similar problems? Is there a fix? We are aware that we are using a slightly older release of Ubuntu, but we have so far been unable to upgrade to a later versions because another package upon which we depend (vmbuilder) was broken.

System and configuration details

SYSTEM: Ubuntu Linux 9.10 Apache: 2.2.12 Samba: 3.4.0

PAM common-auth configuration file (excerpt)

/etc/pam.d/common-auth: 

auth    [success=2 default=ignore]      pam_ldap.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_unix.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

Excerpts from smb.conf

Authentication: 

####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
#   security = user
  security = ads
  realm = OX.AC.UK
  kerberos method = dedicated keytab
  dedicated keytab file = /etc/krb5.keytab

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
  encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
  passdb backend = ldapsam:ldap://localhost:389
  ldap suffix = dc=zoo-admiral-ibrg,dc=zoo,dc=ox,dc=ac,dc=uk
  ldap user suffix = ou=People
  ldap group suffix = ou=Group
  ldap machine suffix = ou=Hosts
  ldap idmap suffix = ou=Idmap
  ldap admin dn = cn=admin,dc=zoo-admiral-ibrg,dc=zoo,dc=ox,dc=ac,dc=uk
  ldap ssl = no
  ldap passwd sync = yes

  obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
  unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
  pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped 
# to anonymous connections
  map to guest = bad user

(Note: the "security = ads" and kerberos statements were left over from some earlier failed experiments. We tried reverting to "security = user" and removing the Kerberos lines, but the problem persists.)

Share: 

###### Share /home/data as //zoo-admiral-ibrg.zoo.ox.ac.uk/data ######
[data]
  comment = File server area
  browseable = yes
  read only = no
  path = /home/data
  unix extensions = no
  create mask = 0700
  force create mode = 0700
  directory mask = 0700
  force directory mode = 0700
  valid users = @RGMember


/etc/fstab excerpt 

/dev/vg-admiral-data/lv-admiral-data            /mnt/lv-admiral-data    ext3    defaults,acl    0       0

Excerpt of output from mount command on target server showing file system options: 

root@zoo-admiral-ibrg:/home/data/common# mount
  :
/dev/mapper/vg--admiral--data-lv--admiral--data on /mnt/lv-admiral-data type ext3 (rw,acl)

Note that /home/data is symlinked: 

root@zoo-admiral-ibrg:/home/data/common# ls -al /home/data
lrwxrwxrwx 1 root root 26 2011-01-25 12:38 /home/data -> /mnt/lv-admiral-data/data/

Excerpt from samba log file 

[2011/03/01 12:07:31,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2011/03/01 12:07:33,  2] lib/smbldap.c:856(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:571(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: TestUser1
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  2] auth/auth.c:310(check_ntlm_password)
  check_ntlm_password:  authentication for user [TestUser1] -> [TestUser1] -> [TestUser1] succeeded
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:571(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: TestUser1
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 600
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  0] param/loadparm.c:9783(widelinks_warning)
  Share 'data' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share.
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 600
[2011/03/01 12:07:33,  2] passdb/pdb_ldap.c:2335(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 601
[2011/03/01 12:07:33,  1] smbd/service.c:1062(make_connection_snum)
  129.67.26.171 (129.67.26.171) connect to service data initially as user TestUser1 (uid=1030, gid=601) (pid 10592)
[2011/03/01 12:07:38,  2] smbd/open.c:580(open_file)
  TestUser1 opened file common/test11.txt read=No write=Yes (numopen=1)
[2011/03/01 12:07:38,  2] smbd/close.c:612(close_normal_file)
  TestUser1 closed file common/test11.txt (numopen=0) NT_STATUS_OK
Retrieved from "http://imageweb.zoo.ox.ac.uk/wiki/index.php/Samba_file_permissions_problem"
Personal tools
Oxford DMP online
MIIDI
Claros