Univention Bugzilla – Bug 40599
UMC: "Restrict write access to these users/groups" broken (samba write list)
Last modified: 2023-06-21 09:24:41 CEST
In UMC the value for "Shares"->"Advanced Settings"->"Samba permissions"->"Restrict write access to these users/groups" is treated as one parameter and UMC puts " around it before saving. If one sets Nutzer1 Nutzer2 as value for "Restrict write access to these users/groups" via UMS, the share config looks like: write list = "Nutzer1 Nutzer2" This is wrong. UMC Request: {"options":[{"object":{"sambaWriteList":"Nutzer1 Nutzer2","$dn$":"cn=share1,cn=shares,dc=four,dc=one"},"options":null}],"flavor":"shares/share"}
(In reply to Felix Botner from comment #0) > In UMC the value for "Shares"->"Advanced Settings"->"Samba > permissions"->"Restrict write access to these users/groups" is treated as > one parameter and UMC puts " around it before saving. > > If one sets Nutzer1 Nutzer2 as value for "Restrict write access to these > users/groups" via UMS, the share config looks like: > > write list = "Nutzer1 Nutzer2" > > This is wrong. > > UMC Request: {"options":[{"object":{"sambaWriteList":"Nutzer1 > Nutzer2","$dn$":"cn=share1,cn=shares,dc=four,dc=one"},"options":null}], > "flavor":"shares/share"} No, that is fine, UMC is smart enough to put quotes around the value if a space is detected, if one wants to put multiple users in this list, one has to separate the entries with commas. So all fine here. But we may need tool tip or something to explain this.
(In reply to Felix Botner from comment #0) > UMC Request: {"options":[{"object":{"sambaWriteList":"Nutzer1 > Nutzer2","$dn$":"cn=share1,cn=shares,dc=four,dc=one"},"options":null}], > "flavor":"shares/share"} The quotes are part of the JSON object. I don't think UMC is doing anything wrong here, the UDM handler or listener module which writes this config is probably broken (which config file is it?). What would be correct?
Next: Valid/Invalid users or groups Here there is no such special "spaces" handling (like in "Restrict write access to these users/groups"). This is not good. One option quotes the spaces, the next (valid/invalid users) does not. Bottom line, less magic more tooltips and examples (see man smb.conf).
(In reply to Florian Best from comment #2) > (In reply to Felix Botner from comment #0) > > UMC Request: {"options":[{"object":{"sambaWriteList":"Nutzer1 > > Nutzer2","$dn$":"cn=share1,cn=shares,dc=four,dc=one"},"options":null}], > > "flavor":"shares/share"} > > The quotes are part of the JSON object. I don't think UMC is doing anything > wrong here, the UDM handler or listener module which writes this config is > probably broken (which config file is it?). > > What would be correct? OK, maybe it is the listener or the UDM. I now have defined Nutzer1 Nutzer2 Nutzer3 -> valid users Nutzer1 Nutzer2 -> Restrict write access to these users/groups via UMC and i get the following smb settings valid users = Nutzer1 Nutzer2 Nutzer3 nt acl support = 1 inherit acls = 1 write list = "Nutzer1 Nutzer2" Manpage says Example: valid users = greg, @pcusers, "username with spaces" Example: valid users = greg, @pcusers, "username with spaces"
Ticket: 2016013021000177
Ticket: 2016013121000381 and again, more tooltips/examples wanted
Created attachment 7460 [details] patch Tooltips are the wrong approach. It should be self-explanatory. The patch makes the field a multivalue fields displayed as MulitInput widget. Is there anything said in the manpage about how to escape ',' or '"' in the usernames? (The patch adds a \ in front of ").
Created attachment 7461 [details] Screenshot A Screenshot after applying the patch. Btw. the field allows injection by inserting a newline and define custom things...
(In reply to Florian Best from comment #8) > Created attachment 7461 [details] > Screenshot > > A Screenshot after applying the patch. > Btw. the field allows injection by inserting a newline and define custom > things... Yes, this looks promising and would probably also fix this problem: Wenn ich unter einer bestimmten Freigabe > Erweiterte Einstellungen > Samba-Rechte im Feld Gültige Benutzer oder Gruppen und im Feld Schreibberechtigung auf diese Benutzer/Gruppen beschränken zuerst Eingaben mache, diese abspeichere und später wieder lösche, erhalte ich folgende Fehlermeldung: Das LDAP-Objekt konnte nicht gespeichert werden: LDAP-Fehler No such attribute: modify/delete: univentionShareSambaWriteList: no such value Schaue ich in der samba-config nach unter dem Freigabenamen in: /etc/samba/shares.conf.d/freigabenamen bei den Optionen valid users = und write list = nach, wurde nichts gelöscht und alles ist wie vorher. Kurz ich kriege die Eingaben nicht mehr raus. Hab dann zur Notlösung gegriffen und die Freigabe komplett neu unter demselben Namen angelegt. Das ist aber kein Weg.
Ticket: 2016013021000471
Also the description of "Restrict write access to these users/groups" is not correct. This option sets write list in the smb.conf -> manpage This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, *no matter* what the *read only* (writeable) option is set to. So "Restrict write access to these users/groups" gives the impression that other users have no write access to the share if "Restrict write access to these users/groups" is set, but this is only true if Samba write access is false.
another customer wrote: >>> wenn ich mittels udm oder der weboberflächliche ein share anlege und die Berechtigung auf eine Gruppe mit einem Leerzeichen wie z.B. Domain Users einschränken möchte. wird im /etc/samba/shares.conf.d/sharename der Eintrag valid users = @Domain Users erzeugt und der share funktioniert nicht wie erwartet(Login klappt nicht) richtig wäre: valid users = @"Domain Users" wenn ich das manuell ändere klappt der share einwandfrei. <<<
...or should I clone this bug to 4.2?
(In reply to Nico Stöckigt from comment #13) > ...or should I clone this bug to 4.2? No.
This https://forge.univention.org/bugzilla/show_bug.cgi?id=40599#c9 happens in UCS 4.3-3. as well. It is not possible to remove the sambaWriteList setting via umc or udm. udm shares/share modify --dn "cn=Public,cn=another.ucs-server.de,cn=shares,dc=local,dc=ucs-server,dc=de" --remove sambaWriteList LDAP Error: No such attribute: modify/delete: univentionShareSambaWriteList: no such value
*** Bug 50074 has been marked as a duplicate of this bug. ***
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Still relevant and not working correctly Parsing problem with write list values: In the UMC you can add the write list values like this: @Verwaltung,@Hochdruck and it is converted to @Verwaltung, @Hochdruck in the UCS and in the smb.conf shown as follows: write list = "@Verwaltung, @Hochdruck" This is not working If you add it like this: @Verwaltung @Hochdruck in the UMC it becomes @"Verwaltung @Hochdruck" in the UMC and write list = @\Verwaltung @Hochdruck\` in the smb.conf, which also not working Workaround: Add the entry in the samba custom settings via key | value
All points addressed in the MR https://git.knut.univention.de/univention/ucs/-/merge_requests/360.
The user and group selection is now a multivalue selection instead of space-separated field. univention-directory-manager-modules (15.0.20-9) e8cf3b86b5d4 | Bug #40599: display all user/group selections as multivalue
Tests: OK Code review: OK Changelog: OK
UCS 5.0-4 has been released: https://docs.software-univention.de/release-notes/5.0-4/en/ If this error occurs again, please use the 'Clone This Bug' option.