我在 Linux 伺服器 (RHEL 6) 上有一個 samba 共享,我透過 Windows 7 存取該伺服器。
我將 samba 共用設定為建立遮罩 0664,但是當我從 Windows 7 電腦透過 samba 建立文件時,它會建立權限等級為 0674 的文件。如果我刪除共享的創建遮罩並依賴預設的創建遮罩 0644,它會創建權限為 0774 的檔案。 。關於發生了什麼以及如何解決這個問題有什麼想法嗎?
理想情況下,新檔案的權限等級為 0664,現有檔案將保持其權限等級。
作為參考,這裡是輸出testparm -v:
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = WORKGROUP
realm =
netbios name = SERVER
netbios aliases =
netbios scope =
server string = Bart
interfaces =
bind interfaces only = No
security = DOMAIN
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = passwordserver.domain.com
smb passwd file = /var/lib/samba/private/smbpasswd
private dir = /var/lib/samba/private
passdb backend = tdbsam
algorithmic rid base = 1000
root directory =
guest account = nobody
enable privileges = Yes
pam password change = No
passwd program =
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
check password script =
username map =
password level = 0
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = No
client plaintext auth = No
preload modules =
dedicated keytab file =
kerberos method = default
map untrusted to domain = No
log level = 0
syslog = 1
syslog only = No
log file = /var/log/samba/log.%m
max log size = 10240
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = Yes
debug pid = No
debug uid = No
debug class = No
enable core files = Yes
smb ports = 445 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
acl compatibility = auto
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = No
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
client ldap sasl wrapping = plain
enable asu support = No
svcctl list =
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 16384
socket options = TCP_NODELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
ctdbd socket =
cluster addresses =
clustering = No
ctdb timeout = 0
load printers = No
printcap cache time = 750
printcap name =
cups server =
cups encrypt = No
cups connection timeout = 30
iprint server =
disable spoolss = No
addport command =
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
max stat cache size = 256
stat cache = Yes
machine password timeout = 604800
add user script =
rename user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script =
add machine script =
shutdown script =
abort shutdown script =
username map script =
logon script =
logon path = \\%N\%U\profile
logon drive =
logon home = \\%N\%U
domain logons = No
init logon delayed hosts =
init logon delay = 100
os level = 20
lm announce = Auto
lm interval = 60
preferred master = No
local master = No
domain master = Auto
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server =
wins support = No
wins hook =
kernel oplocks = Yes
lock spin time = 200
oplock break wait time = 0
ldap admin dn =
ldap delete dn = No
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap passwd sync = no
ldap replication sleep = 1000
ldap suffix =
ldap ssl = start tls
ldap ssl ads = No
ldap deref = auto
ldap follow referral = Auto
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
ldap user suffix =
ldap debug level = 0
ldap debug threshold = 10
eventlog list =
add share command =
change share command =
delete share command =
preload =
lock directory = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/lib/samba
pid directory = /var/run
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
nmbd bind explicit broadcast = Yes
homedir map = auto.home
afs username map =
afs token lifetime = 604800
log nt token command =
time offset = 0
NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
panic action =
perfcount module =
host msdfs = Yes
passdb expand explicit = No
idmap backend = tdb
idmap alloc backend =
idmap cache time = 604800
idmap negative cache time = 120
idmap uid =
idmap gid =
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind reconnect delay = 30
winbind max clients = 200
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = Yes
comment =
path =
username =
invalid users =
valid users =
admin users =
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
acl check permissions = Yes
acl group control = No
acl map full control = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
inherit owner = No
guest only = No
administrative share = No
guest ok = No
only user = No
hosts allow =
hosts deny =
allocation roundup size = 1048576
aio read size = 0
aio write size = 0
aio write behind =
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
smb encrypt = auto
block size = 1024
change notify = Yes
directory name cache size = 100
kernel change notify = Yes
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
cups options = raw
print command =
lpq command = %p
lprm command =
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = Yes
force printername = No
printjob username = %U
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map archive = Yes
map hidden = No
map system = No
map readonly = yes
mangled names = Yes
store dos attributes = No
dmapi support = No
browseable = Yes
access based share enum = No
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Auto
share modes = Yes
dfree cache time = 0
dfree command =
copy =
preexec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = No
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
vfs objects =
msdfs root = No
msdfs proxy =
[path]
comment = path
path = /path/
valid users = usera, userb, userc
read only = No
create mask = 0664
directory mask = 0775
wide links = Yes
答案1
該問題通常是由啟用以下其中一項引起的:
map archive(使用 UNIX 執行位元作為所有者)map system(使用unix執行位元進行群組)map hidden(使用 unix 執行位元進行其他操作)inherit permissions導致 samba 忽略create mask等- 還有
inherit acls應該預設為 no
“MS-DOS 和 Unix 上的檔案權限和屬性”第 8 章 進階磁碟共享很好地解釋了上面的內容。
然而,微軟辦公室產品會導致奇怪的行為並觸發錯誤/意外行為。即使使用create mask和/或force create mode設定並避免上述對應或繼承選項,我也看到在使用 Microsoft Office 應用程式編輯文件時設定了群組執行權限。其他程式不會發生這種情況,例如使用記事本編輯 .txt 檔案並且權限保持正常。 Office 不只是建立文件,它還會對臨時文件、重新命名和權限造成一些混亂。
經過大量挖掘後,它也可能與 Samba POSIX ACL 之類的錯誤混合在一起:
- 舊的 2007 年 Debian 錯誤報告“samba:使用 POSIX acls 誤解創建模式”
- 」預設 ACL 的錯誤行為」 似乎是 samba 的最新錯誤報告,但遺憾的是已關閉「已解決無效」(過早?)。
在 Linux 端觀察到的行為
透過 Windows 資源管理器上下文功能表建立的空白 Word docx 檔案的擴充 ACL(尚未由 Word 開啟和儲存)
$ getfacl test.docx
# file: test.docx
# owner: tester
# group: tester
user::rw-
group::rw-
other::---
透過 MS Word 2016 儲存後
$ getfacl test.docx
# file: test.docx
# owner: tester
# group: tester
user::rw-
user:tester:rw-
group::rw-
group:tester:rw-
mask::rwx
在 Ubuntu 16.04 LTS 上檢查 samba 配置時,它似乎map archive是預設啟用的,但這應該使用所有者的執行位,而不是群組執行位,所以這不是我的情況的原因
$ testparm -s -v 2>&1 | grep 'map archive'
map archive = Yes
在 Windows 端觀察到的行為
使用SysInternals Process Monitor 並將使用notepad.exe 編輯.txt 檔案與使用WINWORD.EXE 編輯.docx 檔案進行比較,辦公室套件執行了許多花哨的步驟,建立臨時檔案、重新命名等。不同,WINWORD.EXE 似乎在擺弄存取控制清單。正如 procmon 所見
SetSecurityFile
Information: Group, DACL
所以我懷疑這就是 UNIX 群組權限被 Microsoft Office 應用程式篡改的原因。
更深入的調查需要打開 Windows 檔案物件安全性審核來查看到底發生了什麼變化。事件 ID 4670 顯示~WRD0000.tmp應用程式的權限變更(我認為 word 使用它來定期儲存和崩潰時恢復)。
Object:
Object Server: Security
Object Type: File
Object Name: C:\Users\<user>\Desktop\TestAudit\~WRD0000.tmp
Handle ID: 0xfd0
Process:
Process ID: 0x1ae4
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Permissions Change:
Original Security Descriptor:
D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-<SID>-1001)
New Security Descriptor:
D:(A;;0x1200a9;;;WD)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-<SID>-1001)
SDDL(安全描述符定義語言)中的權限變更是 DACL(自由存取控制清單部分),其中似乎新增了額外的 ACE(存取控制條目)。 ACE(A;;0x1200a9;;;WD)被加到前面。我是這樣解釋的:
A;意思是允許訪問,保持不變;沒有繼承權0x1200a9;表示FILE_GENERIC_READ | FILE_EXECUTE讀取和執行訪問WD指「所有人」受託人
後來,我在進程監視器中看到的名稱~WRD0000.tmp被重新命名為一項操作。因此,無論出於何種原因,最終都會出現一些 ACE 變更。test.docxSetRenameInformationFiletest.docx
