Bug 11980 - samba incorrectly denying permission
Summary: samba incorrectly denying permission
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.13
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-19 09:34 UTC by Arkadiusz Miskiewicz
Modified: 2020-12-19 16:38 UTC (History)
1 user (show)

See Also:

Attachments
smbd log (60.99 KB, text/plain)
2016-06-20 19:36 UTC, Arkadiusz Miskiewicz 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arkadiusz Miskiewicz 2016-06-19 09:34:30 UTC 
There is samba server with 4.2.13 sharing one directory:
/mnt/storage-sdd-noraid/public

drwxr-xr-x 8 arekm users 143 06-19 11:10 /mnt/storage-sdd-noraid/public

samba config is simple:

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   hosts allow = 192.168. 127.
   load printers = no
   log file = /var/log/samba/log
   max log size = 50
   security = user
   map to guest = Bad Password
   socket options = TCP_NODELAY 
   domain master = yes 
   preferred master = yes
   wins support = yes
   dns proxy = no
   use sendfile = yes
   unix extensions = yes
   delete readonly = yes
   ea support = yes
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes
[storage-sdd-noraid]
        comment = storage sdd noraid
        path = /mnt/storage-sdd-noraid/public
        public = yes
        writable = yes
        force user = arekm



There is a linux client (xps) mounting the share, from /proc/mounts:

//192.168.1.1/storage-sdd-noraid on /mnt/storage-sdd-noraid type cifs (rw,relatime,vers=1.0,cache=strict,username=root,domain=ABC,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.1.1,unix,posixpaths,serverino,mapposix,acl,fsc,rsize=1048576,wsize=65536,echo_interval=60,actimeo=1

and on client this directory looks like:

drwxr-xr-x+ 8 arekm users 0 06-19 11:10 .



[arekm@xps storage-sdd-noraid]$ ls -l x
-rw-r--r--+ 1 arekm users 0 Jun 19 11:10 x
[arekm@xps storage-sdd-noraid]$ rm x
rm: cannot remove 'x': Permission denied

so can't delete file from mounted share

[arekm@xps storage-sdd-noraid]$ ls -ld .
drwxr-xr-x+ 8 arekm users 0 Jun 19 11:10 .
[arekm@xps storage-sdd-noraid]$ chmod g+w .
[arekm@xps storage-sdd-noraid]$ rm x

but if I change permission for group to be writable deleting
works fine, touching also works fine

[arekm@xps storage-sdd-noraid]$ touch x
[arekm@xps storage-sdd-noraid]$ chmod g-w .
[arekm@xps storage-sdd-noraid]$ rm x
rm: cannot remove 'x': Permission denied
[arekm@xps storage-sdd-noraid]$ touch y
touch: cannot touch 'y': Permission denied
[arekm@xps storage-sdd-noraid]$


Now that successful touched x file on server side looks like:
-rw-r--r-- 1 arekm users 0 06-19 11:26 /mnt/storage-sdd-noraid/public/x
so "force user = arekm" worked...

Now why samba needs g+w on /mnt/storage-sdd-noraid/public? Makes no sense.
"force user = arekm" should make u+rwX enough for file deletion/creation.


I also straced smbd process when doing "rm x" on the client. smbd doesn't even try to do unlink(). It probably decided earlier that I have no permission... but it makes little sense to me.

setresgid(-1, 1000, -1)                 = 0
getegid()                               = 1000
setresuid(1000, 1000, -1)               = 0
geteuid()                               = 1000
lstat("x", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
getcwd("/mnt/storage-sdd-noraid/public", 4096) = 31
lstat("/mnt/storage-sdd-noraid/public/x", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat("x", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
getxattr("x", "system.posix_acl_access", 0x7fff35a8ecf0, 132) = -1 ENODATA (No data available)
stat("x", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
fcntl(26, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=388, l_len=1}) = 0
fcntl(26, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=388, l_len=1}) = 0
lstat("/var/run/samba/winbindd", 0x7fff35a8b590) = -1 ENOENT (No such file or directory)
geteuid()                               = 1000
getegid()                               = 1000
getgroups(0, NULL)                      = 14


(note: user arekm on server and on the client - both have uid/gid == 1000/1000)
Comment 1 Christian Ambach 2016-06-20 19:13:18 UTC 
Can you please run smbd with log level 10 and attach the logs of a failed attempt?
Thanks
Comment 2 Arkadiusz Miskiewicz 2016-06-20 19:36:41 UTC 
Created attachment 12190 [details]
smbd log

Looks like interesting data is in this log. It's "touch zupa" in /mnt/storage-sdd-noraid mounted using linux cifs client.

  check_parent_access: access check on directory . for path zupa for mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED

but why?

[arekm@serarm ~]$ ls -ld /mnt/storage-sdd-noraid/public/
drwxr-xr-x 8 arekm users 131 06-20 21:17 /mnt/storage-sdd-noraid/public/
[arekm@serarm ~]$ LC_ALL=C getfacl /mnt/storage-sdd-noraid/public/
getfacl: Removing leading '/' from absolute path names
# file: mnt/storage-sdd-noraid/public/
# owner: arekm
# group: users
user::rwx
group::r-x
other::r-x
Comment 3 Christian Ambach 2016-06-28 20:52:23 UTC 
There is a wrong conversion happening of the uid 1000 in the posix acl.
It should be translated to S-1-22-1-1000, but is translated to S-1-5-21-4285455791-229362118-3877793692-1000. As a result, the access checks fail.
Are you running winbindd? Did you run winbindd in the past?
Looks like you still have a mapping around in the caches from a previous, different setup. Those are valid for 7 days.
Clearing the cache should fix it.
Try net cache flush and recyling the client's connection.
Comment 4 Arkadiusz Miskiewicz 2016-06-29 06:34:38 UTC 
winbind in my Linux distribution is in separate subpackage that I don't have installed (and didn't have in last weeks).

No winbind.tdb, too:

# pwd
/var/lib/samba
# LC_ALL=C ls -al
total 6876
drwxr-xr-x  4 root root    4096 Jun 29 08:28 .
drwxr-xr-x 44 root root    4096 May 15 18:56 ..
-rw-------  1 root root  421888 Jun 19 00:28 account_policy.tdb
-rw-r--r--  1 root root   40200 Jun 20 21:22 brlock.tdb
-rw-r--r--  1 root root     383 Jan 18  2014 browse.dat
-rw-------  1 root root     696 Jun 20 21:22 dbwrap_watchers.tdb
-rw-r--r--  1 root root   20480 Jun 29 08:28 gencache_notrans.tdb
-rw-------  1 root root   77824 Oct  5  2011 group_mapping.ldb.replaced
-rw-------  1 root root     696 Jun 19 00:28 group_mapping.tdb
-rw-r--r--  1 root root     696 Jun 20 21:22 leases.tdb
-rw-r--r--  1 root root 5361664 Jun 29 08:27 locking.tdb
-rw-r--r--  1 root root    7090 Apr 22  2013 namelist.debug
-rw-r--r--  1 root root     696 Jun 20 21:22 notify.tdb
-rw-r--r--  1 root root     696 Jun 20 21:22 notify_index.tdb
drwxr-xr-x  2 root root       6 Oct  5  2011 perfmon
-rw-r--r--  1 root root   12288 Jun 29 08:19 printer_list.tdb
drwxr-xr-x  2 root root      26 Jun 18 14:37 printing
-rw-------  1 root root  528384 Jun 19 00:28 registry.tdb
-rw-r--r--  1 root root    8192 Jun 29 08:28 serverid.tdb
-rw-------  1 root root  421888 Jun 19 00:28 share_info.tdb
-rw-------  1 root root   28672 Jun 29 08:27 smbXsrv_open_global.tdb
-rw-------  1 root root   32768 Jun 28 21:13 smbXsrv_session_global.tdb
-rw-------  1 root root   16384 Jun 28 21:13 smbXsrv_tcon_global.tdb
-rw-------  1 root root   16384 Jun 20 21:22 smbXsrv_version_global.tdb
-rw-r--r--  1 root root     311 Jun 29 08:28 wins.dat
-rw-------  1 root root    8192 Jun 29 08:20 wins.tdb


Is anything else creating these mappings?

(anyway I think that recently deleting started to work again, so likely cache expired... will try more when I get back home)
Comment 5 Björn Jacke 2020-12-19 16:38:53 UTC 
not a bug, this is a configuration issue, wrong id mapping, please consult the mailing list for configuration help