samba - Feb 2019 - Share will Domain Users Full Control permissions, not accessible by domain user

Hello,

I'm really stumped and would greatly appreciate some help.

*Situation*
I have a couple windows 10 pro hosts that I have joined to a Samba4 AD
domain.  I have created 3 users in the domain, one that is a member of
Domain Admins and two that are only members of the Domain Users group.  I
have two samba shares (details below) on a separate samba file server.  The
share permissions were set using RSAT.  The samba file server was joined to
the samba4 ad domain using the realm command and specifying the use of
winbind, not SSSD.  Post join testing seems to suggest that the join was
successful.

If I log into either of the windows hosts, using any one of the three
users,  I can go to \\fileserver and see the two shares.  All three users
are able to enter the "users" share without any errors.  However, only
the
Domain Admin user is able to enter the "operations" share.  When the
other
two users attempt to enter the share, an error window pops up saying that I
do not have permission to access \\fileserver\operations.  I'm happy to
provide any logs you might want to see.


*Expectation*
I want the members of the Domain Users group to be able to do CRUD
operations within the operations share.


*Details*

*# The two servers*
*ad1*

   - Ubuntu 18.04.2
   - Samba version 4.7.6-Ubuntu from the 2:4.7.6+dfsg~ubuntu-0ubuntu2.6
   Ubuntu package
   - Configured as AD DC

*fileserver*

   - CentOS 7.6
   - smbd version 4.8.3 from the samba-4.8.3-4.el7.x86_64 EPEL package
   - Added as a domain member using the realm command and specifying the
   use of winbind, not sssd


*# smb.conf file on fileserver*

[global]
kerberos method = system keytab
workgroup = FTLC
security = ads
realm = AD.FTLCOMPUTING.COM

# Logging
log file = /var/log/samba/%m.log
log level = 5

# We're using the RID method of mapping SIDs to UID/GID
idmap config FTLC : range = 2000000-2999999
idmap config FTLC : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

# All linux users, logging in using an AD account
# will have their shell and home dir set as follows
template shell = /bin/bash
template homedir = /home/%U@%D

# Winbind
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

# Map domain admin account to local root account
# and resolve other "net rpc" issues
username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0

# Enable Windows ACL support
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes


##################################
#                          Shares                          #
##################################
# All shares will be created within the /srv/samba/shares/ folder,
# except for home dirs which are in /srv/samba/users/
# For example:
#[test]
#       path = /srv/samba/shares/test
#       comment = Test Share
#       guest ok = no
#       read only = no

[users]
        path = /srv/samba/users
        comment = Share for user home dirs
        guest ok = no
        read only = no

[operations]
        path = /srv/samba/shares/Operations
        comment = FTL Operations
        guest ok = no
        read only = no


*# Windows Share Permissions (set using RSAT tools)*

For the users share:
Domain Admins - Full Control
Domain Users - Change

For the operations share:
Domain Admins - Full Control
Domain Users - Full Control


*# Windows File Permissions (set using RSAT tools)*

For the users share:
Domain Admins - Full control - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
Domain Users - Read & execute - This folder only

For the operations share:
Domain Admins - Full control - This folder, subfolders and files
CREATOR OWNER - Full control - Subfolders and files only
Domain Users - Read & execute - This folder, subfolders and files


*# POSIX filesystem details (set using chown and chmod)*

/srv/samba/users/
drwxrwx---+ 2 root FTLC\domain admins.

/srv/samba/shares/Operations/
drwxrwx---. 2 root FTLC\domain admins


*# Output from getfacl*

# file: users/
# owner: root
# group: FTLC\134domain\040admins
user::rwx
user:root:rwx
user:2000512:rwx
user:2000513:r-x
group::rwx
group:FTLC\134domain\040admins:rwx
group:FTLC\134domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:2000512:rwx
default:group::---
default:group:FTLC\134domain\040admins:rwx
default:mask::rwx
default:other::---


# file: shares/Operations/
# owner: root
# group: FTLC\134domain\040admins
user::rwx
user:root:rwx
user:2000512:rwx
user:2000513:rwx
group::rwx
group:FTLC\134domain\040admins:rwx
group:FTLC\134domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:2000513:rwx
default:group::r-x
default:group:FTLC\134domain\040admins:r-x
default:group:FTLC\134domain\040users:rwx
default:mask::rwx
default:other::---


Thanks!

--
Mason

On Wed, 20 Feb 2019 15:45:07 -0800
Mason Schmitt via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm really stumped and would greatly appreciate some help.
> 
> *fileserver*
> 
>    - CentOS 7.6
>    - smbd version 4.8.3 from the samba-4.8.3-4.el7.x86_64 EPEL package
>    - Added as a domain member using the realm command and specifying
> the use of winbind, not sssd
> 
> 
> *# smb.conf file on fileserver*
> 
> [global]
> kerberos method = system keytab
> workgroup = FTLC
> security = ads
> realm = AD.FTLCOMPUTING.COM
> 
> # Logging
> log file = /var/log/samba/%m.log
> log level = 5
> 
> # We're using the RID method of mapping SIDs to UID/GID
> idmap config FTLC : range = 2000000-2999999
> idmap config FTLC : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> 
> # All linux users, logging in using an AD account
> # will have their shell and home dir set as follows
> template shell = /bin/bash
> template homedir = /home/%U@%D
Nothing to do with your problem, but is the above line a typo ?
I would have expected the '@' to be a '/', in which case it is
the
default, so you can remove the line.
 
> *# POSIX filesystem details (set using chown and chmod)*
> 
> /srv/samba/users/
> drwxrwx---+ 2 root FTLC\domain admins.
> 
> /srv/samba/shares/Operations/
> drwxrwx---. 2 root FTLC\domain admins
> 
Here we come to what I think is your problem ;-)
If you examine the first set of permissions, they end with a '+', this
means that there are extended ACL's set.
The second set of permissions ends with a dot '.' and is something I
haven't seen before, so a quick google later and I can tell you that
you have selinux running, does that give you any hints ;-)

See here for more info:
https://superuser.com/questions/230559/what-does-the-dot-mean-at-the-end-of-rw-r-r-how-do-you-set-it-with-chmod

Rowland

On Thu, 21 Feb 2019 10:49:49 -0800
Mason Schmitt <mason at ftlcomputing.com> wrote:
> Hi Rowland,
> 
> > template homedir = /home/%U@%D
> >
> > Nothing to do with your problem, but is the above line a typo ?
> > I would have expected the '@' to be a '/', in which
case it is the
> > default, so you can remove the line.
> >
> 
> It wasn't a typo, I think it was auto-generated by something during my
> setup of this host.  It would probably be better to use
'/home/%D/%U'
> 
> 
> > *# POSIX filesystem details (set using chown and chmod)*
> > >
> > > /srv/samba/users/
> > > drwxrwx---+ 2 root FTLC\domain admins.
> > >
> > > /srv/samba/shares/Operations/
> > > drwxrwx---. 2 root FTLC\domain admins
> > >
> >
> > Here we come to what I think is your problem ;-)
> > If you examine the first set of permissions, they end with a
'+',
> > this means that there are extended ACL's set.
> > The second set of permissions ends with a dot '.' and is
something I
> > haven't seen before, so a quick google later and I can tell you
that
> > you have selinux running, does that give you any hints ;-)
> >
> 
> My problem isn't with selinux, because selinux is in permissive mode,
> not enforcing mode.
> 
> I actually managed to solve my problem, minutes after I sent this
> email to the list, but the solution does present me with further
> questions.  I ended up changing the ownership of
> the /srv/samba/shares/Operations folder from 'root:FTLC\domain
> admins' to 'root:FTLC\domain users'.  I didn't change the
> permissions, they are still 770.
> 
> I had thought that it made sense for 'root:FTLC\domain admins' to
own
> the /srv/samba/shares/Operations directory, because only that user
> and group should have the ability to change share permissions.
> However, given that the change of ownership to the FTLC\domain users'
> group resolved the issue, I can see that my assumption was
> incorrect.  Therefore, am I correct in assuming that ownership of a
> given share directory needs to always be the lowest common
> denominator - ie 'FTLC\domain users'?  What are the security
> implications of this?
> 
> I'm still pretty foggy on the relationship between POSIX ownership and
> permissions, and Windows ACLs.  Is there a good resource that might
> help to clear this fog?  Or perhaps a better question might be, what
> isthe recommended POSIX permissions and ownership for a share that is
> going to use Windows ACLs and be managed, using RSAT tools, by a
> Domain Admin?
> 
> Thanks,
> Mason
Lets make the fog even thicker, when you set the permissions from
Windows (which is the best option), they don't get stored where you
think they do ;-)

You can read the Unix permissions with 'ls' and you can read what I
call posix acl's with 'getfacl', but to read the permissions set
from
Windows, you need to use getfattr. The NTFS ACL's are stored in in a
file security.NTACL, this is a an Extended Attribute. This is used
with the Unix permissions to set the ACL's you get with getfacl.

This is probably as clear as mud, but it is a very complicated, try
reading this:

https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/ace-strings

Also reading 'man vfs_acl_xattr' might help

Rowland