Trond Hasle Amundsen
2016-Feb-08 12:54 UTC
[Samba] Using filegroup for access control within a share
Hi, I have an issue with using a UNIX filegroup for access control within a share. The situation is like this: Given a share "test" which exports "/test" to a NIS netgroup "foo", I want to limit access to the directory "/test/restricted" to a specific filegroup "bar". All members of the filegroup "bar" are also members of the netgroup "foo". This works fine with Samba 3.x, but not with Samba 4.x. When setting owner/group to root/bar on "/test/restricted" and mode=770, access is denied for all users. What can I do to make this work with Samba 4.x? Or is this simply not possible anymore? Regards, -- Trond H. Amundsen <t.h.amundsen at usit.uio.no> Center for Information Technology Services, University of Oslo
Jeremy Allison
2016-Feb-09 23:17 UTC
[Samba] Using filegroup for access control within a share
On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote:> Hi, > > I have an issue with using a UNIX filegroup for access control within a > share. The situation is like this: > > Given a share "test" which exports "/test" to a NIS netgroup "foo", I > want to limit access to the directory "/test/restricted" to a specific > filegroup "bar". All members of the filegroup "bar" are also members of > the netgroup "foo". > > This works fine with Samba 3.x, but not with Samba 4.x. When setting > owner/group to root/bar on "/test/restricted" and mode=770, access is > denied for all users. > > What can I do to make this work with Samba 4.x? Or is this simply not > possible anymore?More details and smb.conf on exactly how you've set this up please !
Trond Hasle Amundsen
2016-Feb-10 07:44 UTC
[Samba] Using filegroup for access control within a share
On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote: > > Hi, > > > > I have an issue with using a UNIX filegroup for access control within a > > share. The situation is like this: > > > > Given a share "test" which exports "/test" to a NIS netgroup "foo", I > > want to limit access to the directory "/test/restricted" to a specific > > filegroup "bar". All members of the filegroup "bar" are also members of > > the netgroup "foo". > > > > This works fine with Samba 3.x, but not with Samba 4.x. When setting > > owner/group to root/bar on "/test/restricted" and mode=770, access is > > denied for all users. > > > > What can I do to make this work with Samba 4.x? Or is this simply not > > possible anymore? > > More details and smb.conf on exactly how you've set this up please !Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know if more information is needed, or if there is something you'd like me to try. [global] auto services = homes load printers = yes print command = /usr/bin/ppr -r -P%p -J@%m -Xprint_errors=false -u%u@%M -Xsmbclient=true -Xusepstitle=true %s printing = bsd lpq command = /usr/bin/ppq -P%p lpq cache time = 30 socket options = SO_KEEPALIVE TCP_NODELAY deadtime = 60 unix charset = UTF8 unix extensions = no wide links = yes follow symlinks = yes max protocol = SMB3 security = ads client ntlmv2 auth = yes lanman auth = no ntlm auth = no server schannel = yes client signing = auto password server = * realm = EXAMPLE.COM workgroup = EXAMPLE disable netbios = yes hostname lookups = yes syslog = 0 time server = yes domain logons = no [homes] comment = Home veto files = /.rsrc/ delete veto files = yes nt acl support = no inherit permissions = yes guest ok = no invalid users = root browsable = no read only = no strict locking = no [test] path = /test create mode = 0774 directory mode = 0775 browseable = yes public = no guest ok = no read only = no invalid users = root valid users = @foo veto files = /.??*/ The directory /test contains: -rwxrwxr-x. 1 root foo 0 Dec 9 16:26 file1.txt -rwxrwxr-x. 1 root foo 0 Dec 9 16:26 file2.txt drwxrwx---. 2 root bar 36 Dec 9 16:32 restricted The group "foo" is both filegroup and netgroup, containing the same members. Samba version used is 4.2.3 (rhel7.2). Regards, -- Trond H. Amundsen <t.h.amundsen at usit.uio.no> Center for Information Technology Services, University of Oslo