?icro MEGAS
2014-Oct-28 16:21 UTC
[Samba] security settings on [home] share for use in member server
Hi all, I am referring to the official wiki here: https://wiki.samba.org/index.php/Setting_up_a_home_share#Setting_up_the_share_and_filesystem_permissions I was struggling around for many hours before I have found out what caused my issue. Well, I have created the [home] share exactly as epxlained on the How-To, in detail: I am creating on the linux prompt at the member server the directory with "mkdir -p /srv/samba/home" and then I apply the Windows ACL settings as shown on the wiki link: "Authenticated Users" have read access on (this folder only) "Domain Admins" have full access (this folder, subfolder and files) "SYSTEM" have full access (this folder, subfolder and files) "Creator-Owner" have full access (subfolders and files) Afterwards, when I check the ACL settings on the linux prompt at my member server I get following output: root at membersrv1:~# getfacl /srv/samba/home # file: home # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:domain\040admins:rwx default:mask::rwx default:other::--- As you can see, there is one big mistake ==> Only the group "Domain Admins" got full (rwx) rights ! With that setting a normal domain user is *not* possible to access that [home] share at all. But it will work, when I do following change: I remove "Authenticated Users" from the security settings and instead I add "Domain Users" with the same security settings as shown above, that means: READ/LIST/EXECUTE rights (this folder only). When I use "Domain Users" group instead of "Authenticated Users", the ACL settings on linux prompt are as shown here: root at membersrv1:/~# getfacl /srv/samba/home # file: home # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:domain\040users:r-x group:domain\040admins:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:domain\040admins:rwx default:mask::rwx default:other::--- With these settings a domain user can make use of the [home] share as expected. Now why I am saying all this? If this can be proofed by someone else and is correct, it would be nice if the corresponding persons could modify the wiki content. Because the wiki says: [...] Note: If you have the requirement, that your users need to access their home folder locally on the server, too, you have to add a group that contains these user accounts. Add this group in all steps below and set the permissions to exactly the same than for ?Authenticated users?. Of course this group must be available locally trough Winbindd, sssd, nslcd, or other. This is required, because if the user log in locally on the server, there is no ?Authenticated User?! [...] [...] If you have the requirement, that your users need access their home folder locally on the server, too, additionally or add a group that contains these user accounts. Because if the user log in locally on the server, there is no ?Authenticated User?! The permissions for this additional group have to be the same than for ?Authenticated users? [...] That is completely right what the wiki says, but unfortunately it doesn't make it clear (imho) that I *need* "Domain Users" *even when not intending* to need my users access their home folder locally on the server. My domain users don't login locally on the memberserver to access their home directory, they just need accessing the [home]/username directory through their windows clients. Any comment welcome, thanks in advance, Mirco
Klaus Hartnegg
2014-Oct-28 16:56 UTC
[Samba] security settings on [home] share for use in member server
My experience is that if you set Windows ACLs, Samba will try to create Linux ACLs that resemble the Windows ACLs as closely as possible, but only local users will feel them. Users who access the files via Samba will only feel the Windows ACLs. So you can simply ignore the output of getfacl.
?icro MEGAS
2014-Oct-28 17:11 UTC
[Samba] security settings on [home] share for use in member server
> My experience is that if you set Windows ACLs, Samba will try to create > Linux ACLs that resemble the Windows ACLs as closely as possible, but > only local users will feel them. Users who access the files via Samba > will only feel the Windows ACLs. So you can simply ignore the output of > getfacl.Maybe, but I don't rely only the linux ACLs which I showed on linux prompt, but also to the result. The result at the beginning is unfortunately, that a user home dir, that was initially created by an Administrator with the ADUC tool, was *not* accessible by the user itself, only by Admins. The explanation is on my initially posting.
L.P.H. van Belle
2014-Oct-29 07:45 UTC
[Samba] security settings on [home] share for use in member server
Hai I checked my settings and this is what i have but this i also about how you want to use the "home" share. In my case, /home/users has linux 2770 ( root:root) drwxrwx--T+ 7 root root 4096 Oct 14 11:48 users [home] path = /home/users read only = no vfs objects = acl_xattr recycle recycle:keeptree = yes recycle:versions = yes recycle:maxsize = 1073741824 in the share rights, i have Verified users ( full access) SYSTEM ( full access) Domain Admins ( full access) on the security tab. Creator Owner ( special ) Only subfolders and files Verified users ( special ) Only this folder SYSTEM ( full access) This folder, subfolders and files DOMAIN\Domain Admins ( full access) This folder, subfolders and files DOMAIN\Administrator ( full access) This folder, subfolders and files now when you create your users and set the home folder in the ADUC tool. with \\servername\home\%username% the user folder wil be created with the correct rights. like as the security tab but with extra the created users with full access. and this works ok. i have domain admins on the users only because i use a share as \\home\users$ so if needed the domain admins have access in the user folders. so above is correct, i have seen your error, look for it and try to fix it. If you cant find it, email again ;-) Greetz, Louis>-----Oorspronkelijk bericht----- >Van: micromegas at mail333.com >[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS >Verzonden: dinsdag 28 oktober 2014 17:22 >Aan: samba at lists.samba.org >Onderwerp: [Samba] security settings on [home] share for use >in member server > >Hi all, > >I am referring to the official wiki here: >https://wiki.samba.org/index.php/Setting_up_a_home_share#Settin >g_up_the_share_and_filesystem_permissions > >I was struggling around for many hours before I have found out >what caused my issue. Well, I have created the [home] share >exactly as epxlained on the How-To, in detail: I am creating >on the linux prompt at the member server the directory with >"mkdir -p /srv/samba/home" and then I apply the Windows ACL >settings as shown on the wiki link: > >"Authenticated Users" have read access on (this folder only) >"Domain Admins" have full access (this folder, subfolder and files) >"SYSTEM" have full access (this folder, subfolder and files) >"Creator-Owner" have full access (subfolders and files) > >Afterwards, when I check the ACL settings on the linux prompt >at my member server I get following output: > >root at membersrv1:~# getfacl /srv/samba/home > ># file: home ># owner: root ># group: root >user::rwx >user:root:rwx >group::--- >group:root:--- >group:domain\040admins:rwx >mask::rwx >other::--- >default:user::rwx >default:user:root:rwx >default:group::--- >default:group:root:--- >default:group:domain\040admins:rwx >default:mask::rwx >default:other::--- > >As you can see, there is one big mistake ==> Only the group >"Domain Admins" got full (rwx) rights ! With that setting a >normal domain user is *not* possible to access that [home] >share at all. But it will work, when I do following change: > >I remove "Authenticated Users" from the security settings and >instead I add "Domain Users" with the same security settings >as shown above, that means: READ/LIST/EXECUTE rights (this >folder only). When I use "Domain Users" group instead of >"Authenticated Users", the ACL settings on linux prompt are as >shown here: > >root at membersrv1:/~# getfacl /srv/samba/home ># file: home ># owner: root ># group: root >user::rwx >user:root:rwx >group::--- >group:root:--- >group:domain\040users:r-x >group:domain\040admins:rwx >mask::rwx >other::--- >default:user::rwx >default:user:root:rwx >default:group::--- >default:group:root:--- >default:group:domain\040admins:rwx >default:mask::rwx >default:other::--- > >With these settings a domain user can make use of the [home] >share as expected. Now why I am saying all this? If this can >be proofed by someone else and is correct, it would be nice if >the corresponding persons could modify the wiki content. >Because the wiki says: > >[...] Note: If you have the requirement, that your users need >to access their >home folder locally on the server, too, you have to add a group that >contains these user accounts. Add this group in all steps >below and set >the permissions to exactly the same than for ?Authenticated users?. Of >course this group must be available locally trough Winbindd, sssd, >nslcd, or other. This is required, because if the user log in >locally on > the server, there is no ?Authenticated User?! >[...] > >[...] If you have the requirement, that your users need access >their home >folder locally on the server, too, additionally or add a group that >contains these user accounts. Because if the user log in >locally on the >server, there is no ?Authenticated User?! The permissions for this >additional group have to be the same than for ?Authenticated >users? [...] > >That is completely right what the wiki says, but unfortunately >it doesn't make it clear (imho) that I *need* "Domain Users" >*even when not intending* to need my users access their home >folder locally on the server. My domain users don't login >locally on the memberserver to access their home directory, >they just need accessing the [home]/username directory through >their windows clients. > >Any comment welcome, > >thanks in advance, >Mirco >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
L.P.H. van Belle
2014-Oct-29 07:59 UTC
[Samba] security settings on [home] share for use in member server
yes, your correct if ... you also use : acl_xattr:ignore system acl = yes on the share, then what your saying below is totaly correct. If you dont set ignore system acl, the linux rights DO count. Louis>-----Oorspronkelijk bericht----- >Van: hartnegg at uni-freiburg.de >[mailto:samba-bounces at lists.samba.org] Namens Klaus Hartnegg >Verzonden: dinsdag 28 oktober 2014 17:56 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] security settings on [home] share for >use in member server > >My experience is that if you set Windows ACLs, Samba will try >to create >Linux ACLs that resemble the Windows ACLs as closely as possible, but >only local users will feel them. Users who access the files via Samba >will only feel the Windows ACLs. So you can simply ignore the >output of >getfacl. >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- SYSTEM gid=70006 in POSIX ACLs ?
- Samba4: Setting up share/security permissions for shares on member server
- Behavior of acl_xattr:ignore system acls = yes on a share
- 3rd-party tool for creating users as alternative to ADUC
- Behavior of acl_xattr:ignore system acls = yes on a share