samba - Oct 2014 - security settings on [home] share for use in member server

Hi all,

I am referring to the official wiki here:
https://wiki.samba.org/index.php/Setting_up_a_home_share#Setting_up_the_share_and_filesystem_permissions

I was struggling around for many hours before I have found out what caused my
issue. Well, I have created the [home] share exactly as epxlained on the How-To,
in detail: I am creating on the linux prompt at the member server the directory
with "mkdir -p /srv/samba/home" and then I apply the Windows ACL
settings as shown on the wiki link:

"Authenticated Users" have read access on (this folder only)
"Domain Admins" have full access (this folder, subfolder and files)
"SYSTEM" have full access (this folder, subfolder and files)
"Creator-Owner" have full access (subfolders and files)

Afterwards, when I check the ACL settings on the linux prompt at my member
server I get following output:

root at membersrv1:~# getfacl /srv/samba/home

# file: home
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

As you can see, there is one big mistake ==> Only the group "Domain
Admins" got full (rwx) rights ! With that setting a normal domain user is
*not* possible to access that [home] share at all. But it will work, when I do
following change:

I remove "Authenticated Users" from the security settings and instead
I add "Domain Users" with the same security settings as shown above,
that means: READ/LIST/EXECUTE rights (this folder only). When I use "Domain
Users" group instead of "Authenticated Users", the ACL settings
on linux prompt are as shown here:

root at membersrv1:/~# getfacl /srv/samba/home
# file: home
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:r-x
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

With these settings a domain user can make use of the [home] share as expected.
Now why I am saying all this? If this can be proofed by someone else and is
correct, it would be nice if the corresponding persons could modify the wiki
content. Because the wiki says:

[...] Note: If you have the requirement, that your users need to access their 
home folder locally on the server, too, you have to add a group that 
contains these user accounts. Add this group in all steps below and set 
the permissions to exactly the same than for ?Authenticated users?. Of 
course this group must be available locally trough Winbindd, sssd, 
nslcd, or other. This is required, because if the user log in locally on
 the server, there is no ?Authenticated User?! 
[...]

[...] If you have the requirement, that your users need access their home 
folder locally on the server, too, additionally or add a group that 
contains these user accounts. Because if the user log in locally on the 
server, there is no ?Authenticated User?! The permissions for this 
additional group have to be the same than for ?Authenticated users? [...]

That is completely right what the wiki says, but unfortunately it doesn't
make it clear (imho) that I *need* "Domain Users" *even when not
intending* to need my users access their home folder locally on the server. My
domain users don't login locally on the memberserver to access their home
directory, they just need accessing the [home]/username directory through their
windows clients.

Any comment welcome,

thanks in advance,
Mirco

My experience is that if you set Windows ACLs, Samba will try to create 
Linux ACLs that resemble the Windows ACLs as closely as possible, but 
only local users will feel them. Users who access the files via Samba 
will only feel the Windows ACLs. So you can simply ignore the output of 
getfacl.

> My experience is that if you set Windows ACLs, Samba will try to create 
> Linux ACLs that resemble the Windows ACLs as closely as possible, but 
> only local users will feel them. Users who access the files via Samba 
> will only feel the Windows ACLs. So you can simply ignore the output of 
> getfacl.
Maybe, but I don't rely only the linux ACLs which I showed on linux prompt,
but also to the result. The result at the beginning is unfortunately, that
a user home dir, that was initially created by an Administrator with the
ADUC tool, was *not* accessible by the user itself, only by Admins. The
explanation is on my initially posting.

Hai 

I checked my settings and this is what i have
but this i also about how you want to use the "home" share. 

In my case, /home/users  has linux 2770 ( root:root) 
drwxrwx--T+  7 root   root   4096 Oct 14 11:48 users

[home]
   path = /home/users
   read only = no
   vfs objects = acl_xattr recycle
   recycle:keeptree = yes
   recycle:versions = yes
   recycle:maxsize = 1073741824

in the share rights, i have 
Verified users ( full access)
SYSTEM	   ( full access)
Domain Admins  ( full access)

on the security tab. 	
Creator Owner		( special )	Only subfolders and files
Verified users 		( special ) Only this folder
SYSTEM	   		( full access) This folder, subfolders and files
DOMAIN\Domain Admins  	( full access) This folder, subfolders and files
DOMAIN\Administrator	( full access) This folder, subfolders and files

now when you create your users and set the home folder in the ADUC tool.
with \\servername\home\%username%  the user folder wil be created with the
correct rights.
like as the security tab but with extra
the created users with full access. 

and this works ok.
i have domain admins on the users only because i use a share as 
\\home\users$  so if needed the domain admins have access in the user folders.


so above is correct, i have seen your error, look for it and try to fix it.
If you cant find it, email again ;-) 


Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: dinsdag 28 oktober 2014 17:22
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] security settings on [home] share for use 
>in member server
>
>Hi all,
>
>I am referring to the official wiki here:
>https://wiki.samba.org/index.php/Setting_up_a_home_share#Settin
>g_up_the_share_and_filesystem_permissions
>
>I was struggling around for many hours before I have found out 
>what caused my issue. Well, I have created the [home] share 
>exactly as epxlained on the How-To, in detail: I am creating 
>on the linux prompt at the member server the directory with 
>"mkdir -p /srv/samba/home" and then I apply the Windows ACL 
>settings as shown on the wiki link:
>
>"Authenticated Users" have read access on (this folder only)
>"Domain Admins" have full access (this folder, subfolder and
files)
>"SYSTEM" have full access (this folder, subfolder and files)
>"Creator-Owner" have full access (subfolders and files)
>
>Afterwards, when I check the ACL settings on the linux prompt 
>at my member server I get following output:
>
>root at membersrv1:~# getfacl /srv/samba/home
>
># file: home
># owner: root
># group: root
>user::rwx
>user:root:rwx
>group::---
>group:root:---
>group:domain\040admins:rwx
>mask::rwx
>other::---
>default:user::rwx
>default:user:root:rwx
>default:group::---
>default:group:root:---
>default:group:domain\040admins:rwx
>default:mask::rwx
>default:other::---
>
>As you can see, there is one big mistake ==> Only the group 
>"Domain Admins" got full (rwx) rights ! With that setting a 
>normal domain user is *not* possible to access that [home] 
>share at all. But it will work, when I do following change:
>
>I remove "Authenticated Users" from the security settings and 
>instead I add "Domain Users" with the same security settings 
>as shown above, that means: READ/LIST/EXECUTE rights (this 
>folder only). When I use "Domain Users" group instead of 
>"Authenticated Users", the ACL settings on linux prompt are as 
>shown here:
>
>root at membersrv1:/~# getfacl /srv/samba/home
># file: home
># owner: root
># group: root
>user::rwx
>user:root:rwx
>group::---
>group:root:---
>group:domain\040users:r-x
>group:domain\040admins:rwx
>mask::rwx
>other::---
>default:user::rwx
>default:user:root:rwx
>default:group::---
>default:group:root:---
>default:group:domain\040admins:rwx
>default:mask::rwx
>default:other::---
>
>With these settings a domain user can make use of the [home] 
>share as expected. Now why I am saying all this? If this can 
>be proofed by someone else and is correct, it would be nice if 
>the corresponding persons could modify the wiki content. 
>Because the wiki says:
>
>[...] Note: If you have the requirement, that your users need 
>to access their 
>home folder locally on the server, too, you have to add a group that 
>contains these user accounts. Add this group in all steps 
>below and set 
>the permissions to exactly the same than for ?Authenticated users?. Of 
>course this group must be available locally trough Winbindd, sssd, 
>nslcd, or other. This is required, because if the user log in 
>locally on
> the server, there is no ?Authenticated User?! 
>[...]
>
>[...] If you have the requirement, that your users need access 
>their home 
>folder locally on the server, too, additionally or add a group that 
>contains these user accounts. Because if the user log in 
>locally on the 
>server, there is no ?Authenticated User?! The permissions for this 
>additional group have to be the same than for ?Authenticated 
>users? [...]
>
>That is completely right what the wiki says, but unfortunately 
>it doesn't make it clear (imho) that I *need* "Domain Users" 
>*even when not intending* to need my users access their home 
>folder locally on the server. My domain users don't login 
>locally on the memberserver to access their home directory, 
>they just need accessing the [home]/username directory through 
>their windows clients.
>
>Any comment welcome,
>
>thanks in advance,
>Mirco
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

yes, your correct if ... 
you also use : 
acl_xattr:ignore system acl = yes 
on the share, then what your saying below is totaly correct. 

If you dont set ignore system acl, the linux rights DO count.


Louis


>-----Oorspronkelijk bericht-----
>Van: hartnegg at uni-freiburg.de 
>[mailto:samba-bounces at lists.samba.org] Namens Klaus Hartnegg
>Verzonden: dinsdag 28 oktober 2014 17:56
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] security settings on [home] share for 
>use in member server
>
>My experience is that if you set Windows ACLs, Samba will try 
>to create 
>Linux ACLs that resemble the Windows ACLs as closely as possible, but 
>only local users will feel them. Users who access the files via Samba 
>will only feel the Windows ACLs. So you can simply ignore the 
>output of 
>getfacl.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>