samba - Jul 2019 - Weird access problem to files

We've recently upgraded a S3 to Samba4 with AD (4.3.11-Ubuntu). 

The access control on the old installation was done with "valid users"
and "write list". We've ported this to ACL, but for some path
users are denied access and we cannot understand why.

I.e. for a generic share, user "user1" can browse and access almost
everything except for directory "NONWORKING". So, by doing several
test, we found out that copying the very same directory from another user which
has access (a domain admin) to a new one, this directory IS accessible by
"user1"!
This directory has a specific security entry which allows writing to
"user1".

This is a diff of getfacl on the working and nonworking dir.
>From my understanding there's nothing in the first dir ACL which forbids
"user1" from accessing NONWORKING directory. Have I missed something?
Is there anything else I can check?
thanks 


--- /tmp/NONWORKING_acl 2019-07-02 10:25:33.961928899 +0200 
+++ /tmp/WORKING_acl 2019-07-02 10:25:50.061925261 +0200 
@@ -1,21 +1,21 @@ 
-# file: NONWORKING 
-# owner: DOMAIN\134administrator 
+# file: WORKING 
+# owner: DOMAIN\134max 
# group: users 
# flags: -s- 
user::rwx 
user:DOMAIN\134administrator:rwx 
user:DOMAIN\134user1:rwx 
user:DOMAIN\134domain\040admins:rwx 
-group::rwx 
+group::r-x 
group:users:rwx 
group:DOMAIN\134domain\040admins:rwx 
mask::rwx 
-other::rwx 
+other::r-x 
default:user::rwx 
default:user:DOMAIN\134administrator:rwx 
default:user:DOMAIN\134user1:rwx 
default:user:DOMAIN\134domain\040admins:rwx 
-default:group::rwx 
+default:group::--- 
default:group:users:rwx 
default:group:DOMAIN\134domain\040admins:rwx 
default:mask::rwx 

-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.it 


YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.

On 02/07/2019 10:44, Lorenzo Milesi via samba wrote:
> We've recently upgraded a S3 to Samba4 with AD (4.3.11-Ubuntu).
Can I suggest you keep upgrading, Samba 4.3.11 is EOL and I suppose the 
version of Ubuntu you are running it on will be as well
;-)
>
> The access control on the old installation was done with "valid
users" and "write list". We've ported this to ACL, but for
some path users are denied access and we cannot understand why.
Probably because that is the old way of doing things ;-)

Once you have upgraded, try reading this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

> Can I suggest you keep upgrading, Samba 4.3.11 is EOL and I suppose the
> version of Ubuntu you are running it on will be as well ;-)
It's Ubuntu 16 LTS, so it's supported until 2021.
> Probably because that is the old way of doing things ;-)
I said that's the old installation, in the new one we remapped all the
single user entries to the new ACL from RSAT. So we opened the shares on RSAT
and added allowed users and group from the Security tab of the share/directory.

It works, share access is enforced correctly, but for some shares we have this
forbidden access I cannot explain with the printed ACL.


-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.