I few weeks back my server started having a problem where all shares are now readonly. AFAIK nothing has changed except a 'yum update' which was probably around the same time.
Everyone still has the shares on their Win7 PC's and can see the contents. However, if they try to open a file it opens read only. If the try to create a new file (e.g. right click -> New -> Text Document) it says that they don't have permission.
I am not seeing anything meaningful in the log files. Can anyone give me a clue how to fix this, or at least how to collect getting debug info?
SELinux has been disabled to eliminate that.
Gary
Global parameters [global] netbios name = ZEPPO2 server string = Ringways Doncaster Showroom Server workgroup = MOTORPARK os level = 33 preferred master = Yes log file = /var/log/samba/log.%m max log size = 50 guest account = gary security = USER username map = /etc/samba/smbusers wins proxy = Yes wins server = 10.1.1.101 idmap config * : backend = tdb cups options = raw hosts allow = 127. 10.
[printers] comment = All Printers path = /var/spool/samba browseable = No printable = Yes guest ok = Yes
[tmp] comment = Temporary work area path = /user/remote/tmp guest ok = Yes read only = No
[goodwill] comment = Good will documents path = /user/remote/goodwill force user = gary guest ok = Yes read only = No valid users = gary
[service] comment = Temporary work area path = /user/remote/service force user = gary read only = No valid users = gary write list = gary
[sales_doc] comment = Sales D.O.C. spreadsheets path = /user/remote/sales_doc force user = gary guest ok = Yes read only = No valid users = gary
[root@zeppo ~]# smbstatus
Samba version 4.4.4 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 2552 gary gary 10.6.103.236 (ipv4:10.6.103.236:50445) SMB2_10 - -
Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- tmp 2552 10.6.103.236 Thu May 4 14:05:23 2017 BST - -
Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 2552 1000 DENY_ALL 0x100080 RDONLY NONE /user/remote/tmp . Thu May 4 14:05:23 2017 2552 1000 DENY_NONE 0x100081 RDONLY NONE /user/remote/tmp . Thu May 4 14:05:39 2017
[root@zeppo ~]# ls -ld / /user /user/remote/ /user/remote/tmp/ /user/remote/service/ dr-xr-xr-x. 18 root root 4096 May 4 13:59 / drwxr-xr-x. 4 root root 34 Nov 7 2013 /user drwxr-xr-x. 22 gary gary 4096 Jun 2 2016 /user/remote/ drwxr-xr-x. 6 gary gary 4096 Apr 19 08:32 /user/remote/service/ drwxr-xr-x. 8 gary gary 4096 Feb 23 17:26 /user/remote/tmp/ [root@zeppo ~]#
Gary Stainburn wrote:
I few weeks back my server started having a problem where all shares are now readonly. AFAIK nothing has changed except a 'yum update' which was probably around the same time.
Everyone still has the shares on their Win7 PC's and can see the contents. However, if they try to open a file it opens read only. If the try to create a new file (e.g. right click -> New -> Text Document) it says
that they
don't have permission.
I am not seeing anything meaningful in the log files. Can anyone give me a clue how to fix this, or at least how to collect getting debug info?
SELinux has been disabled to eliminate that.
<snip> Dumb question #1: on the server, can you touch /samba/path/this? That is, can *you* create a file in one of those directories? If not... why is your filesystem read-only
mark.
On Thursday 04 May 2017 14:59:17 m.roth@5-cent.us wrote:
Dumb question #1: on the server, can you touch /samba/path/this? That is, can *you* create a file in one of those directories? If not... why is your filesystem read-only
mark.
No such thing as a dumb question. As the unix user gary I can successfully cd to the target directory and I can add/amend/delete files. The user gary and th smbuser gary are the same.
Pretty sure smb gets "control" of a directory via the group. For my setup, each directory defined by a path in smb.conf has group smbusers, and has rwx permissions. This is applied just to that directory, it is not applied recursively. The files and folders in that directory have the actual remote user's ownership and permissions.
What is applied recursively is the selinux label. I find it's better to have a dedicated filesystem volume so you can use the mount option context="system_u:object_r:samba_share_t:s0" and that will apply that context to the whole file system. If a file system volume is being shared, then you'll need to use chcon -R "system_u:object_r:samba_share_t:s0" <path> to apply that context to everything. New files and directories will inherit this context (so long as it's a copy and not a move; so if you move things behind the scenes outside of samba, you can run into label problems since inheritance doesn't apply to moving).
Chris Murphy
On Thursday 04 May 2017 17:54:57 Chris Murphy wrote:
Pretty sure smb gets "control" of a directory via the group. For my setup, each directory defined by a path in smb.conf has group smbusers, and has rwx permissions. This is applied just to that directory, it is not applied recursively. The files and folders in that directory have the actual remote user's ownership and permissions.
What is applied recursively is the selinux label. I find it's better to have a dedicated filesystem volume so you can use the mount option context="system_u:object_r:samba_share_t:s0" and that will apply that context to the whole file system. If a file system volume is being shared, then you'll need to use chcon -R "system_u:object_r:samba_share_t:s0" <path> to apply that context to everything. New files and directories will inherit this context (so long as it's a copy and not a move; so if you move things behind the scenes outside of samba, you can run into label problems since inheritance doesn't apply to moving).
Chris Murphy
I have run the following commands for each share, to ensure that group permissions are are:
find . -type d -exec chmod 770 {} ; find . -type f -exec chmod 660 {} ;
I can now create and delete files and folders using windows explorer. I can also create a new blank spreadsheet in Excel and save it to the share. However, when I then open that file in Excel again it comes up as Read Only.
Again, I can delete the spreadsheet using Windows Explorer
What I don't understand, apart from why the system is behaving like this, is what has changed that stopped it from working in the first place.
El 8/5/17 a las 13:32, Gary Stainburn escribió:
I have run the following commands for each share, to ensure that group permissions are are:
find . -type d -exec chmod 770 {} ; find . -type f -exec chmod 660 {} ;
I can now create and delete files and folders using windows explorer. I can also create a new blank spreadsheet in Excel and save it to the share. However, when I then open that file in Excel again it comes up as Read Only.
Again, I can delete the spreadsheet using Windows Explorer
What I don't understand, apart from why the system is behaving like this, is what has changed that stopped it from working in the first place. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Did you tried something like:
create mask = 0764
and
directory mode = 0775
For folders
In the share setup?
Under which user/group are the files created? (i mean, once created, in the shared folder in Linux, what the user and group are?
Also something like:
force group = smbusers (or anything else you want)
May help (add the users to that group)
Best,
On Monday 08 May 2017 12:50:44 Jose Maria Terry Jimenez wrote:
Did you tried something like:
create mask = 0764
and
directory mode = 0775
For folders
In the share setup?
No, but I do now.
Under which user/group are the files created? (i mean, once created, in the shared folder in Linux, what the user and group are?
Also something like:
force group = smbusers (or anything else you want)
Also added
May help (add the users to that group)
Best,
I have done some testing and found that I have got to the point where I can create a 'New Text Document', edit it in notepad and save the changes.
I can now also create a new blank spreadsheet, save it, load it, edit and save the changes.
However, if I open an existing spreadsheet it still comes up as read only. Doing a 'ls -l' on the original file shows a '+' on the end of the file permissions. Other files have a '.' on the end. The newly created files have a normal file permission.
I've had a quick Google and found that the '+' indicates a ACL has been applied. I have no idea how this happened as until now I wasn't even aware of them.
Is there an easy way to remove the ACL from all of the files in these directory trees?
El 8/5/17 a las 14:21, Gary Stainburn escribió:
May help (add the users to that group)
Best,
I have done some testing and found that I have got to the point where I can create a 'New Text Document', edit it in notepad and save the changes.
I can now also create a new blank spreadsheet, save it, load it, edit and save the changes.
However, if I open an existing spreadsheet it still comes up as read only. Doing a 'ls -l' on the original file shows a '+' on the end of the file permissions. Other files have a '.' on the end. The newly created files have a normal file permission.
I've had a quick Google and found that the '+' indicates a ACL has been applied. I have no idea how this happened as until now I wasn't even aware of them.
Is there an easy way to remove the ACL from all of the files in these directory trees?
Yes, do this (remove SeLinux context): || find /path/to/your/folder -exec sudo setfattr -h -x security.selinux {} ;
Hope this helps and solve your problem
-
Chris Murphy -
Gary Stainburn -
Jose Maria Terry Jimenez -
m.roth@5-cent.us