14066 – Windows Client getting denied write access while logged as guest to samba share

Bug 14066 - Windows Client getting denied write access while logged as guest to samba share

Summary: Windows Client getting denied write access while logged as guest to samba share

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.9.1
Hardware:	All Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-08-02 14:15 UTC by Andrej Dzilský
Modified:	2021-07-29 12:58 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Log.smbd with NT_STATUS_ACCESS_DENIED (169.51 KB, text/plain) 2019-08-02 14:15 UTC, Andrej Dzilský	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrej Dzilský 2019-08-02 14:15:01 UTC

Created attachment 15371 [details]
Log.smbd with NT_STATUS_ACCESS_DENIED

Hello,

since at least RHEL7.6, the windows user logged into samba share as a guest is not able get write access to create any file or directory for example.

Some additional information:

[root@%TESTING_VM% samba]# testparm -s
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[data]"
Loaded services file OK.
WARNING: The 'netbios name' is too long (max. 15 chars).

Server role: ROLE_STANDALONE

# Global parameters
[global]
	map to guest = Bad User
	security = USER
	server string = Samba Server Version %v
	workgroup = MYGROUP
	idmap config * : backend = tdb


[homes]
	comment = Home Directories
	read only = No


[data]
	comment = Public share
	guest ok = Yes
	path = /data
	read only = No

[root@ci-vm-10-0-138-64 data]# ls -alRZ
.:
drwxrwxrwx. nobody nobody unconfined_u:object_r:samba_share_t:s0 .
dr-xr-xr-x. root   root   system_u:object_r:root_t:s0      ..
drwxr-xr-x. nobody nobody unconfined_u:object_r:samba_share_t:s0 testdir

./testdir:
drwxr-xr-x. nobody nobody unconfined_u:object_r:samba_share_t:s0 .
drwxrwxrwx. nobody nobody unconfined_u:object_r:samba_share_t:s0 ..


In the entry share directory called "data" with directory permissions set to 775, guest account mapped to "nobody" is allowed to create files.

On the other hand, in inner directory called "testdir" with permissions set to 755, guest account is unable to create anything. If the permissions are set to 775 it works as expected.

I've tried this scenario from Window Server 2019 and from Windows 10 using File Explorer GUI.

Comment 1 Andrej Dzilský 2019-08-30 12:58:57 UTC

After reading https://lists.samba.org/archive/samba/2019-August/225498.html, I've tried to look at the permissions from windows client and nothing was set therefore denied access is reasonable here.

Is this a bug ? Or is there any way how to have this permissions set automatically ?

Comment 2 Björn Jacke 2021-07-29 12:58:29 UTC

this is more of a support request, we'can't handle this in bugizlla, please consult the samba mailing list or some other support option from https://www.samba.org/samba/support/