Author Topic: Samba permissions problem (ACL problem?)  (Read 3883 times)

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Samba permissions problem (ACL problem?)
« on: March 03, 2020, 01:47:15 pm »
Hi

Suddenly - after moving some big folders from one share to another (I made it over terminal) and reseting ownership of files as usual - chown -R username . - we have now big problems with that share. Users can't overwrite files or folders - windows giving disk is full error. They can add new files and folders to this share and delete existing ones - but they can't overwrite files/folders as it gives disk is full error (but we have more than 2TB free space). I gave inside this folder 777 permissions to all files and folders - nothing. I restarted several times server - still nothing.
What I discover. I am running Zentyal 5.0.14 - and under Shares - I don't see "Apply ACLs recursively" part any more in Zentyal admin. This is completely missing.
When I am checking folder permissions under /home/samba/shares, then I see fallowing situation:
Code: [Select]
drwxrwx---+ 11 SERVER-DOMAIN\administrator adm                        4096 Feb 28 15:50 SHARE_1
drwxrwx---+  4 root                        adm                        4096 Mar  3 13:07 SHARE_WITH_PROBLEMS
drwxrwx---+ 30 SERVER-DOMAIN\administrator adm                        4096 Mar 30  2018 SHARE_3
drwxrwx---+  8 SERVER-DOMAIN\administrator adm                        4096 Mar  3 14:09 SHARE_4
this share has other owner - not SERVER_DOMAIN - but root.
When I am making new share - then also - owner is root and group adm.

So my questions:
1) Why this Apply ACLs recursively - is missing now from admin
2) How I can fix permissions inside this share - usually samba restart rewrites all ACL permissions. But not now. Why?
Any other help and tips - what to look.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #1 on: March 03, 2020, 03:08:45 pm »
 :)

Read this https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs#Setting_ACLs and https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Samba_Extended_ACL_Support

I think that you'll find the answers that you need.

Use the "chown" command to change the owner from root to 'SERVER-DOMAIN\administrator'

Cheers!

- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #2 on: March 03, 2020, 03:41:48 pm »
But any idea - why this Apply ACLs recursively is missing from admin now? Is this normal or some bug?
I will look these wikis and try it tomorrow - there are right now some network service works - so I can't access to the server.

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #3 on: March 04, 2020, 08:04:07 am »
I can't change the owner of that directory:
chown SERVER-DOMAIN/administrator share_name/
chown: invalid user: 'SERVER_DOMAIN/administrator'

Even when I try to change it from MC - the same. There I can see the list of users - but it doesn't change.

EDIT:
I look the ACL permissions also for this problematic share - is this normal:
Code: [Select]
getfacl SHARE_WITH_PROBLEMS
# file: SHARE_WITH_PROBLEMS
# owner: root
# group: adm
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:SERVER_DOMAIN\134domain\040admins:rwx
group:SERVER_DOMAIN\134tootearendus_i:rwx
group:SERVER_DOMAIN\134tootearendus_i_piiratud:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:adm:rwx
default:group:SERVER_DOMAIN\134domain\040admins:rwx
default:group:SERVER_DOMAIN\134tootearendus_i:rwx
default:group:SERVER_DOMAIN\134tootearendus_i_piiratud:r-x
default:mask::rwx
default:other::---

More information. I looked also ACL information inside this share:
Code: [Select]
# file: Tootmine_/
# owner: SERVER_DOMAIN\134otherusername
# group: SERVER_DOMAIN\134domain\040users
# flags: ss-
user::rwx
user:root:rwx
user:SERVER_DOMAIN\134administrator:rwx
user:SERVER_DOMAIN\134username:rwx
group::rwx
group:adm:rwx
group:SERVER_DOMAIN\134domain\040admins:rwx
group:SERVER_DOMAIN\134tootearendus_i:rwx
group:SERVER_DOMAIN\134tootearendus_i_piiratud:r-x
group:SERVER_DOMAIN\134tootearendus\040mets:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:root:rwx
default:user:SERVER_DOMAIN\134administrator:rwx
default:user:SERVER_DOMAIN\134username:rwx
default:group::rwx
default:group:adm:rwx
default:group:SERVER_DOMAIN\134domain\040admins:rwx
default:group:SERVER_DOMAIN\134tootearendus_i:rwx
default:group:SERVER_DOMAIN\134tootearendus_i_piiratud:r-x
default:group:SERVER_DOMAIN\134tootearendus\040mets:rwx
default:mask::rwx
default:other::---
But here is one output from other folder - inside other share.
Code: [Select]
# file: Kataloogid/
# owner: root
# group: 1901
user::rwx
user:SERVER_DOMAIN\134administrator:rwx
group::rwx
group:adm:rwx
group:SERVER_DOMAIN\134domain\040admins:rwx
group:SERVER_DOMAIN\134tootearendus_iii:rwx
group:SERVER_DOMAIN\134tootearendus_iii_piiratud:r-x
group:SERVER_DOMAIN\134juhtkond\040company:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:SERVER_DOMAIN\134administrator:rwx
default:group::rwx
default:group:adm:rwx
default:group:SERVER_DOMAIN\134domain\040admins:rwx
default:group:SERVER_DOMAIN\134tootearendus_iii:rwx
default:group:SERVER_DOMAIN\134tootearendus_iii_piiratud:r-x
default:group:SERVER_DOMAIN\134juhtkond\040company:rwx
default:mask::rwx
default:other::---

Where we have problems - there are # flags: ss-  - what it mean? Can it be the problem?

EDIT: More information.
There is some samba ACL reset problems - as default:group:SERVER_DOMAIN\134tootearendus\040mets:rwx - this is removed from this share access list. But why it still shows it? So the samba doesn't reset ACL-s.
« Last Edit: March 04, 2020, 09:48:19 am by spott »

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #4 on: March 27, 2020, 10:47:23 am »
I still have the same problem.
Any help or hints - what to look?
Now one user can't copy or add files to any shared folder any more. Other user - can.
« Last Edit: March 27, 2020, 11:22:48 am by spott »

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #5 on: April 02, 2020, 10:43:54 am »
EDIT:
I updated to the latest Zentyal 6.1 - lets see, does it help or not.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

dsjunges83

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #7 on: June 11, 2021, 03:16:04 am »
Hi there spott

Any advance on this?
I can confirm there is an issue with acl permissions in Zentyal.
I am facing a very similar problem here.

Everytime I want to set an acl, I need to do it twice in order to make it effective.

For example:
There is a folder called "drivers" in my samba share and only "IT" group have RW access to it.
If I want to add RW access to "developers" group through Zentyal's webgui, I need to:
1 - set my new acl
2 - save new settings (orange button)
3 - remove my new acl
4 - save new settings
5 - set my new acl AGAIN
6 - save new settings

Now it works.
I tested this in Zentyal 7 and 6.2
Even when installing it out of the box.
I believe there is a bug or something...

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #8 on: June 11, 2021, 05:06:06 am »
Hi

I get rid of that after update

dsjunges83

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #9 on: June 12, 2021, 04:48:14 am »
So are you running version 6.1 or 7.0?

spott

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Samba permissions problem (ACL problem?)
« Reply #10 on: June 12, 2021, 05:40:41 am »
I think now 6.2 or newer - but not 7.