Strange Samba write access problem

[JanxnaJ]

Hi Linux Forum users.

I've been using the forums on/off for quite some time, but I never registered as a user. I guess my problems were so trivial that it was always possible to find helpful replies to other users experiencing the same problems I've had. That is unfortunately not the case this time. I'm facing a (to me) very strange problem, and I'm hoping that some of you either know the cause of it, or can give me some input to further trouble shooting.


I have a file/media server running Ubuntu, where I installed a Samba server to allow for file sharing between the server and both Windows and Linux clients.

The setup is slightly more complex than described here, but for the sake of troubleshooting, I greatly simplified the setup to try to isolate the problem. I am now down to the following 2 shares, which still illustrates my problem.


share-jan is supposed to be a completely private share accessed only by me.
The main access restriction is setup in the linux file system, making most of these samba setting irrelevant.

The directory in /srv/rshare is setup like this:

Code:

drwx------ 10 jan      jan      4096 2011-05-01 14:36 jan

The samba configuration for this share is setup like this:

Code:

[share-jan]
    comment = Jans private share
    path = /srv/rshare/jan
    browseable = yes
    guest ok = no
    read only = yes
    create mask = 0755
    write list = jan

share-temp is supposed to be accessible by anyone including guests. However, only a few trusted people (including myself) will be allowed to create/edit/delete files and directories. Therefore I grant full access to everyone in the file system, and attempt to perform the access restriction in Samba.

The directory in /srv/dshare is setup like this:

Code:

drwxrwxrwx 2 nobody nogroup  4096 2011-05-01 14:33 temp

The samba configuration for this share is setup like this:

Code:

[share-temp]
    comment = Temp share (ingen backup)
    path = /srv/dshare/temp
    browseable = yes
    guest ok = yes
    read only = yes
    create mask = 0777
    directory mask = 0777
    write list = jan, someone, someoneelse

Now, here is the weird part. From any Windows client, logged on as 'jan' and using normal file explorer I can view, create, edit, and delete everything in both shares. 'someone' or 'someoneelse' can do anythin on share-temp, but have no access to share-jan. And anyone else can only view things in share-temp. In other words, this works exactly as expected.

However, from any linux client running Ubuntu, logged on as 'jan' and using the Nautilus file explorer I can view, create, edit, and delete everything in share-jan. But in share-temp I can only view things. 'someone' or 'someoneelse' can only view things in share-temp, and the same goes for guests. In other words my access to share-jan seems to work as expected, but no one has write access to share-temp in spite of the 'write list' configuration.


So... if anyone can see what I cannot... or has some suggestions for what I could try, please let me know.

I did not include the full smb.conf as I didn't want to pollute this already long post any further. But if you think it may be relevant, please tell me, and I'll include that as well.

Any help is appreciated.

Regards,

Jan

[bisti]

To restrict modifying the share "share-temp" to some users, you need to use extended ACL, not the samba "write list" capability. To use ACL to restrict writing access to the directory, you must do next things:

1)delete "create mask = 0777", "directory mask = 0777" and " write list = jan, someone, someoneelse" statements.

2)Change permissions to the directory "/srv/dshare/temp" back to 755.

3)Install acl-tools(by running apt-get install acl).

4)Add "acl" option to your filesystem in /etc/fstab.

5)Finally, run setfacl to add permissions for users jan,someone,someoneelse to modify this directory:

PHP Code:

setfacl -Rn -m u:jan:rwx /srv/directory
setfacl -Rn -m default:u:jan:rwx /srv/directory 


Than, run "getfacl /srv/run" ro be sure, if this user has correct permissions. And, if your user has incorrect permissions, you need to manual set "mask" permission:

PHP Code:

setfacl -R -m m:rwx /srv/directory
setfacl -R -m default:m:rwx /srv/directory 


And, of course, read the manual page for "setfacl" and "getfacl"

[JanxnaJ]

Thank you for your reply, Bisti. While I can see how ACL would be a solution to the problem, I still have a hard time understanding why this cannot be solved using Samba configuration on top of a directory which is not restricted by Linux file permissions.

I'd go as far as to suggest that if Samba is NOT capable of adding restrictions to the file system permissions, while making exceptions to those restrictions for certain users/groups, then it is a serious design flaw or lack of functionality in Samba.

Again, thank your for your suggestion. I will definately try it, if it turns out that this is the best option, but I really hope that this obvious feature already exists in Samba.

[bisti]

You can modify share permissions with samba from windows clients with "cacls" command or from GUI(right click / permissions). Here samba uses ACL API, and do the same thing, that "setfacl" command do.

[JanxnaJ]

Right. I guess the thing I'm having a hard time understanding is that when I create the directories with full access permission on the Linux server running the Samba server, and create the access restrictions in the Samba configuration as shown above, then:
- It works perfectly from any windows client using only the default file explorer.
- It does NOT work from my linux clients using the (default?) Nautilus explorer.

Therefore I would assume that the problem was related to the linux client (Nautilus explorer or something else), and not to the Samba configuration.