Hi MarvinI just tested it like this:-Made a domain group called staff. getent group gives: staff:*:21114:lynn2,steve2-Domain users steve2 and lynn2 are members of staff-Made a share in smb.conf:[shared] path = /home/shared read only = No-Set the ACL on /home/shared: chown root:staff /home/shared chmod g+s /home/shared setfacl -R -m g:staff:rw,d:g:staff:rw /home/shareddrwxrws---+ 2 root staff 4096 Mar 28 09:58 sharedwhich gives:# file: home/shared# owner: root# group: staff# flags: -s-user::rwxgroup::rwxgroup:staff:rw-mask::rwxother::---default:user::rwxdefault:group::rwxdefault:group:staff:rw-default:mask::rwxdefault:other::--- - Mounted the share:mount -t cifs //hh1/shared /mnt -osec=krb5,multiuser Here is a session with the 2 users: steve@hh1:/mnt> su steve2Password:steve2@hh1:/mnt> touch hola.txtsteve2@hh1:/mnt> ls -ltotal 1024-rwxrwx---+ 1 steve2 Domain Users 0 Mar 28 10:29 hola.txtsteve2@hh1:/mnt> getfacl hola.txt# file: hola.txt# owner: steve2# group: Domain40Usersuser::rwxuser:steve2:rwxgroup::rwxgroup:Domain40Users:rwxgroup:staff:rw-mask::rwxother::---steve2@hh1:/mnt> su lynn2Password:lynn2@hh1:/mnt> echo foo > hola.txtlynn2@hh1:/mnt> cat hola.txtfoolynn2@hh1:/mnt> touch hola2.txtlynn2@hh1:/mnt> ls -ltotal 2048-rwxrwx---+ 1 lynn2 Domain Users 0 Mar 28 10:30 hola2.txt-rwxrwx---+ 1 steve2 Domain Users 4 Mar 28 10:30 hola.txtlynn2@hh1:/mnt> Notes:- I set the ACL as group rw but it appears as rwx- the sticky bit g+s is not working for file creation on the cifs mount- the sticky bit only works on the unmounted sharelynn2@hh1:/home/shared> touch hola3.txtlynn2@hh1:/home/shared> ls -l hola3.txt-rw-rw----+ 1 lynn2 staff 0 Mar 28 10:36 hola3.txtlynn2@hh1:/home/shared> getfacl hola3.txt# file: hola3.txt# owner: lynn2# group: staffuser::rw-group::rwx #effective:rw-group:staff:rw-mask::rw-other::---- - - So, a bit of a mess. OK, so the group rw is working on this install but not for you. How about setting the ACL's as I have them and give it another try? Maybe mounting as multiuser also has something to do with it? HTH to clear the confusion a bit. It's certainly got me even more ACL'd out than ever before:(Cheers,Steve
On Thu 28/03/13 9:40 AM , Quintus wrote:Am Tue, 26 Mar 2013 19:38:48 +0100 schrieb steve : > > WTF? Where did the write access for the group go? > Hi Marvin Hi Steve, > Just a thought but I found out the hard way that when there are acl's > set, e.g. in your file called test2, the -rw-r----- bit of the > listing bit bears little resemblance to what the actual permissions > are. Have you actually checked to see that the file test2 really > isn't group writeable? Maybe worth a quick test. I just tested it with another user and no, the file is really not group-writable. But I found another really mysterious behaviour... This time I’ve connected as user "steffi" who is in the "share" group as well: % sudo mount //avalon/share -t cifs -o user=steffi,gid=quintus /mnt I tried to create a file now as this user: ---------------------------------------------------- (1067) [9:28:47 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 root quintus 0 Mar 28 09:28 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw----+ 1 quintus quintus 0 Mar 26 14:54 test -rw-r-----+ 1 quintus quintus 0 Mar 26 15:04 test2 (1068) [9:29:29 quintus@hades] /mnt % touch test3 touch: cannot touch ‘test3’: Permission denied (1069) [9:29:34 quintus@hades] /mnt % ls -ahl total 4.0K drwxrws---+ 2 root quintus 0 Mar 28 09:29 . drwxr-xr-x 20 root root 4.0K Mar 19 17:32 .. -rw-rw----+ 1 quintus quintus 0 Mar 26 14:54 test -rw-r-----+ 1 quintus quintus 0 Mar 26 15:04 test2 -rw-r-----+ 1 1002 quintus 0 Mar 28 09:29 test3 ---------------------------------------------------- That is, I get a "permission denied" on the "touch" command, but the file is there nevertheless...? How is this possible at all? Even worse, I cannot write to the file I just created: (1070) [9:29:35 quintus@hades] /mnt % echo foo > test3 zsh: permission denied: test3 And no, the file is really empty (I’ve chceked it on the server via SSH). Writing to the files owned by someone else, but still in the "share" group doesn’t work either: (1071) [9:31:19 quintus@hades] /mnt % echo foo > test2 zsh: permission denied: test2 And again, this file really is empty. On the server, the permissions are reported like this: ---------------------------------------------------- (433) [9:33:34 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 root share 4,0K 28. Mär 09:29 . drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 .. -rw-rw----+ 1 quintus share 0 26. Mär 14:54 test -rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2 -rw-r-----+ 1 steffi share 0 28. Mär 09:29 test3 (434) [9:33:41 quintus@avalon] /srv/cifs/share % getfacl test3 # file: test3 # owner: steffi # group: share user::rw- group::rwx#effective:r-- group:share:rwx#effective:r-- mask::r-- other::--- ---------------------------------------------------- And I cannot write to the "test3" as user "quintus" on the server, but as user "steffi" it works (again, through SSH): ---------------------------------------------------- (436) [9:35:32 quintus@avalon] /srv/cifs/share % echo foo > test3 zsh: permission denied: test3 (437) [9:36:55 quintus@avalon] /srv/cifs/share % ls -ahl insgesamt 8,0K drwxrws---+ 2 root share 4,0K 28. Mär 09:29 . drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 .. -rw-rw----+ 1 quintus share 0 26. Mär 14:54 test -rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2 -rw-r-----+ 1 steffi share 0 28. Mär 09:29 test3 (438) [9:36:57 quintus@avalon] /srv/cifs/share % sudo su -s /bin/zsh - steffi [sudo] password for quintus: (1) [9:37:31 steffi@avalon] / % cd /srv/cifs/share (2) [9:37:35 steffi@avalon] /srv/cifs/share % echo foo > test3 (3) [9:37:38 steffi@avalon] /srv/cifs/share % ls -ahl insgesamt 12K drwxrws---+ 2 root share 4,0K 28. Mär 09:29 . drwxr-xr-x 7 root root 4,0K 26. Mär 14:19 .. -rw-rw----+ 1 quintus share 0 26. Mär 14:54 test -rw-r-----+ 1 quintus share 0 26. Mär 15:04 test2 -rw-r-----+ 1 steffi share 4 28. Mär 09:37 test3 (4) [9:37:39 steffi@avalon] /srv/cifs/share % cat test3 foo ---------------------------------------------------- > Cheers, > Steve Any idea? Vale, Marvin -- Blog: http://pegasus-alpha.eu/blog [1]">http://pegasus-alpha.eu/blog ASCII-Ribbon-Kampagne () | ASCII Ribbon Campaign () - Stoppt HTML-E-Mail / | - Against HTML E-Mail / - Stoppt proprietäre Anhänge | - Against proprietary attachments http://www.asciiribbon.org/index-de.html [2]">www.asciiribbon.org/index-de.html | www.asciiribbon.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [3] ------------------------- Message sent via Atmail Open - http://atmail.org/ Links: ------ [1] http://pegasus-alpha.eu/blog [2] http://www.asciiribbon.org/index-de.html [3] http://webmail.steve-ss.com/parse.php?redirect=https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
