samba - Feb 2010 - Share Permissions on an ADS member server [NOT PROTECTIVELY MARKED]

Classification: NOT PROTECTIVELY MARKED

Samba 3.4.5 
Solaris 9 
Windows 2000 AD domain 
Heimdal Kerberos 1.3.1 

Samba is configured and the server is joined to the domain. wbinfo works
as it should do, and so did getent when I had enumeration turned on. I
can view and change security properties from a Windows client (as a
member of the owner group).

I've created a share and set permissions to directories within it.
However, Samba does not seem to be honouring permissions for domain
users.

For example, from Windows clients any domain user can write to the
directory /testshare/Communities/HASS which has the following POSIX
acls:

# file: Communities/HASS 
# owner: u101529 
# group: dl raes b isis css 
user::rwx 
group::rwx              #effective:rwx 
group:sdmu:rwx          #effective:rwx 
group:housing:rwx               #effective:rwx 
group:dl just v cas:r-x         #effective:r-x 
group:dl just b cas hass:rwx            #effective:rwx 
mask:rwx 
other:--- 
default:user::rwx 
default:group::rwx 
default:group:sdmu:rwx 
default:group:housing:rwx 
default:group:dl just v cas:r-x 
default:group:dl just b cas hass:rwx 
default:mask:rwx 
default:other:--- 

Groups "dl raes b isis css", "dl just v cas" and "dl
just b cas hass"
and user u101529 are from the domain, the other groups are native UNIX
ones. My understanding is that only the owner and members of sdmu,
housing, "dl raes b isis css" and "dl just b cas hass"
should be able to
write to this directory and nobody in groups not listed in the ACLs
should even be able to open it. Native UNIX users and groups are still
bound by these permissions. 

This is doing my head in so any insights would be welcome! 

smb.conf: 

Top of Form 1

[global] 
        unix charset = LOCALE 
        workgroup = OURDOMAIN 
        realm = OUR.REALM 
        server string = MC18UNXA 
        bind interfaces only = Yes 
        security = ADS 
        password server = dc.our.realm 
        ntlm auth = No 
        client NTLMv2 auth = Yes 
        log level = 3 
        log file = /usr/local/samba/var/log.%m 
        max log size = 100 
        domain master = No 
        idmap alloc backend = tdb 
        idmap uid = 70000-200000 
        idmap gid = 70000-200000 
        winbind use default domain = Yes 

[testshare] 
        path = /testshare 
        read only = No 
        acl group control = Yes 
        inherit permissions = Yes 
        inherit acls = Yes 

Bottom of Form 1

---------------------------------------- 
Nigel Pain 
The Scottish Government 


********************************************************

This e-mail (and any files or other attachments transmitted with it) is intended
solely for the attention of the addressee(s).  Unauthorised use, disclosure,
storage, copying or distribution of any part of this e-mail is not permitted. 
If you are not the intended recipient please destroy the email, remove any
copies from your system and inform the sender immediately by return.

 

Communications with the Scottish Government may be monitored or recorded in
order to secure the effective operation of the system and for other lawful
purposes.  The views or opinions contained within this e-mail may not
necessarily reflect those of the Scottish Government.

********************************************************


The original of this email was scanned for viruses by the Government Secure
Intranet virus scanning service supplied by Cable&Wireless in partnership
with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi
this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.