samba - Feb 2016 - Using filegroup for access control within a share

Hi,

I have an issue with using a UNIX filegroup for access control within a
share. The situation is like this:

Given a share "test" which exports "/test" to a NIS netgroup
"foo", I
want to limit access to the directory "/test/restricted" to a specific
filegroup "bar". All members of the filegroup "bar" are also
members of
the netgroup "foo".

This works fine with Samba 3.x, but not with Samba 4.x. When setting
owner/group to root/bar on "/test/restricted" and mode=770, access is
denied for all users.

What can I do to make this work with Samba 4.x? Or is this simply not
possible anymore? 

Regards,
-- 
Trond H. Amundsen <t.h.amundsen at usit.uio.no>
Center for Information Technology Services, University of Oslo

On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen
wrote:
> Hi,
> 
> I have an issue with using a UNIX filegroup for access control within a
> share. The situation is like this:
> 
> Given a share "test" which exports "/test" to a NIS
netgroup "foo", I
> want to limit access to the directory "/test/restricted" to a
specific
> filegroup "bar". All members of the filegroup "bar" are
also members of
> the netgroup "foo".
> 
> This works fine with Samba 3.x, but not with Samba 4.x. When setting
> owner/group to root/bar on "/test/restricted" and mode=770,
access is
> denied for all users.
> 
> What can I do to make this work with Samba 4.x? Or is this simply not
> possible anymore? 
More details and smb.conf on exactly how you've set this up please !

On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:
> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote:
> > Hi,
> > 
> > I have an issue with using a UNIX filegroup for access control within
a
> > share. The situation is like this:
> > 
> > Given a share "test" which exports "/test" to a
NIS netgroup "foo", I
> > want to limit access to the directory "/test/restricted" to
a specific
> > filegroup "bar". All members of the filegroup
"bar" are also members of
> > the netgroup "foo".
> > 
> > This works fine with Samba 3.x, but not with Samba 4.x. When setting
> > owner/group to root/bar on "/test/restricted" and mode=770,
access is
> > denied for all users.
> > 
> > What can I do to make this work with Samba 4.x? Or is this simply not
> > possible anymore? 
> 
> More details and smb.conf on exactly how you've set this up please !
Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know
if more information is needed, or if there is something you'd like me to
try.

[global]
        auto services = homes
        load printers = yes
        print command = /usr/bin/ppr -r -P%p -J@%m -Xprint_errors=false
-u%u@%M -Xsmbclient=true -Xusepstitle=true %s
        printing = bsd
        lpq command = /usr/bin/ppq -P%p
        lpq cache time = 30
        socket options = SO_KEEPALIVE TCP_NODELAY
        deadtime = 60
        unix charset = UTF8
        unix extensions = no
        wide links = yes
        follow symlinks = yes
        max protocol = SMB3
        security = ads
        client ntlmv2 auth = yes
        lanman auth = no
        ntlm auth = no
        server schannel = yes
        client signing = auto
        password server = *
        realm = EXAMPLE.COM
        workgroup = EXAMPLE
        disable netbios = yes
        hostname lookups = yes
        syslog = 0
        time server = yes
        domain logons = no

[homes]
        comment = Home
        veto files = /.rsrc/
        delete veto files = yes
        nt acl support = no
        inherit permissions = yes
        guest ok = no
        invalid users = root
        browsable = no
        read only = no
        strict locking = no

[test]
        path = /test
        create mode = 0774
        directory mode = 0775
        browseable = yes
        public = no
        guest ok = no
        read only = no
        invalid users = root
        valid users = @foo
        veto files = /.??*/


The directory /test contains:

-rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file1.txt
-rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file2.txt
drwxrwx---. 2 root bar    36 Dec  9 16:32 restricted

The group "foo" is both filegroup and netgroup, containing the same
members. Samba version used is 4.2.3 (rhel7.2).

Regards,
-- 
Trond H. Amundsen <t.h.amundsen at usit.uio.no>
Center for Information Technology Services, University of Oslo