[Pkg-samba-maint] Bug#858564: Bug#858564: samba: Since 8u4, Samba does not allow files not in root directory of share

Fri Mar 24 10:23:41 UTC 2017

Control: tag -1 + moreinfo

2017-03-23 17:41 GMT+01:00 James Bellinger <jfb1776 at gmail.com>:
> Package: samba
> Version: 2:4.2.14+dfsg-0+deb8u2
> Severity: grave
> Justification: renders package unusable

Hmm... Don't over-rate a bug because it affects you.

> Dear Maintainer,

hi,

> *** Reporter, please consider answering these questions, where appropriate ***
>
>    * What led up to the situation?
>         I upgraded to 8u4 through unattended upgrades.
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
>         (1) I attempt to create a file not in the root directory of the share.
>         (2) I try to write to files not in the root directory of the share.
>    * What was the outcome of this action?
>         (1) Windows Explorer freezes entirely until I end task it.
>         (2) It says permission denied.
>    * What outcome did you expect instead?
>         (1) Normally I can create files.
>         (2) Normally I can access files.
>
> I have reverted back to 8u2 and am no longer experiencing problems.
> Access to the root directory of the share works fine.
>
> My smb.conf is as follows:
> (start)
> [global]
> server string = Server
> workgroup = WORKGROUP
> log level = 1
>
> interfaces = eth0 eth0:0 eth0:1 eth0:2 eth0:3
> bind interfaces only = yes
> socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536
>
> server role = standalone server
> disable netbios = yes
> disable spoolss = yes
> csc policy = disable
> oplocks = no
> server min protocol = NT1
>
> passdb backend = tdbsam
> encrypt passwords = yes
> invalid users = root fsadmin
> disable netbios = yes
> disable spoolss = yes
> csc policy = disable
> oplocks = no
> server min protocol = NT1
>
> passdb backend = tdbsam
> encrypt passwords = yes
> invalid users = root fsadmin
>
> follow symlinks = no
> hide dot files = no
> wide links = no
>
> create mask = 660
> directory mask = 770
>
> vfs objects = acl_xattr streams_xattr full_audit
> full_audit:prefix = %S|%u|%I
> follow symlinks = no
> hide dot files = no
> wide links = no
>
> create mask = 660
> directory mask = 770
>
> vfs objects = acl_xattr streams_xattr full_audit
> full_audit:prefix = %S|%u|%I
> full_audit:success = mkdir open opendir rename rmdir unlink
> full_audit:failure = all !getxattr !removexattr !is_offline !readdir_att$
> full_audit:facility = LOCAL7
> full_audit:priority = ALERT
>
> map acl inherit = yes
> store dos attributes = yes
>
> browseable = no
> writeable = yes
>
> include = /etc/samba/smb.conf.%i
> (end)
>
> As an example of the IP-address specific file, here's one:
> (start)
> [hr$]
> comment = HR Server
> path = /mnt/data/hr
> force group = +AccessHR
> valid users = @AccessHR
> (end)
>
> Permissions are absolutely fine. They are essentially 770.
> AppArmor is enabled, but I disabled it and the problem still exists in 8u4.
> It does not exist in 8u2.

OK. I'm not able to reproduce the problem on a classic config, so this
comes from one of those multiple params.

Can you please reduce this config to isolate the param which failed? I
suspect one of the vfs.

Also, does a simple touch fails too? Does it fails too from a Linux
machine (via smbclient or cifs-utils)?

Regards

-- 
Mathieu Parent