Bug 11407 - smbclient refuses access to a resource with ACL constraints
smbclient refuses access to a resource with ACL constraints
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-07-21 11:56 UTC by Dariusz Gadomski
Modified: 2015-08-01 09:35 UTC (History)
1 user (show)

See Also:

gvfs log (46.68 KB, text/plain)
2015-07-21 11:56 UTC, Dariusz Gadomski
no flags Details
smb.conf from the server (9.78 KB, text/plain)
2015-07-21 12:02 UTC, Dariusz Gadomski
no flags Details
server log (532.26 KB, text/plain)
2015-07-31 07:56 UTC, Dariusz Gadomski
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dariusz Gadomski 2015-07-21 11:56:44 UTC
Created attachment 11277 [details]
gvfs log

I am having problems with accessing 

The scenario looks like this:
1. LDAP authentication for client & server (both using Ubuntu 14.04).
2. SMB server with a share accessible to a certain ACL group or user.
3. A user (that should be allowed to access the share: is a member of the group or is an ACL user) accesses the share from a client using nautilus and smb:// URI.

Expected result:
Access is granted to the resource.

Actual result:
Permission denied for accessing the resource in question.

The gvfs version I used in this case was built with this change cherry-picked: https://git.gnome.org/browse/gvfs/commit/?id=a0aec32

To give you some context in terms of the log attached: the user account I used in this case is user128. I have created 3 resources in the share:
dir1 - accessible to all
dir2 - with u:user128:rwx ACL rule set
dir3 - with g:miners:rwx ACL rule set (user128 is in the group 'miners')

Dir1 can be accessed without any issues, accessing dir2 or dir3 ends up with 'permission denied' message.
Comment 1 Dariusz Gadomski 2015-07-21 12:02:15 UTC
Created attachment 11278 [details]
smb.conf from the server
Comment 2 Jeremy Allison 2015-07-30 16:30:20 UTC
That tells me you're getting ACCESS_DENIED, doesn't tell me why on the server. Can you get server level 10 debug logs please ?
Comment 3 Dariusz Gadomski 2015-07-31 07:56:22 UTC
Created attachment 11299 [details]
server log

Adding a level 10 server log.
Comment 4 Volker Lendecke 2015-08-01 09:35:30 UTC
map to guest = bad user

together with

[2015/07/31 09:39:20.118662,  4, pid=2315, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_ldap.c:1497(ldapsam_getsampwnam)
  ldapsam_getsampwnam: Unable to locate user [darek] count=0

leads to your session to being mapped to guest. As guest you don't have access. Please check your LDAP tree for user darek.

I'm closing this bug as invalid, this seems like a misconfigured system