samba - Feb 2016 - Using filegroup for access control within a share

On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:
> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote:
> > Hi,
> > 
> > I have an issue with using a UNIX filegroup for access control within
a
> > share. The situation is like this:
> > 
> > Given a share "test" which exports "/test" to a
NIS netgroup "foo", I
> > want to limit access to the directory "/test/restricted" to
a specific
> > filegroup "bar". All members of the filegroup
"bar" are also members of
> > the netgroup "foo".
> > 
> > This works fine with Samba 3.x, but not with Samba 4.x. When setting
> > owner/group to root/bar on "/test/restricted" and mode=770,
access is
> > denied for all users.
> > 
> > What can I do to make this work with Samba 4.x? Or is this simply not
> > possible anymore? 
> 
> More details and smb.conf on exactly how you've set this up please !
Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know
if more information is needed, or if there is something you'd like me to
try.

[global]
        auto services = homes
        load printers = yes
        print command = /usr/bin/ppr -r -P%p -J@%m -Xprint_errors=false
-u%u@%M -Xsmbclient=true -Xusepstitle=true %s
        printing = bsd
        lpq command = /usr/bin/ppq -P%p
        lpq cache time = 30
        socket options = SO_KEEPALIVE TCP_NODELAY
        deadtime = 60
        unix charset = UTF8
        unix extensions = no
        wide links = yes
        follow symlinks = yes
        max protocol = SMB3
        security = ads
        client ntlmv2 auth = yes
        lanman auth = no
        ntlm auth = no
        server schannel = yes
        client signing = auto
        password server = *
        realm = EXAMPLE.COM
        workgroup = EXAMPLE
        disable netbios = yes
        hostname lookups = yes
        syslog = 0
        time server = yes
        domain logons = no

[homes]
        comment = Home
        veto files = /.rsrc/
        delete veto files = yes
        nt acl support = no
        inherit permissions = yes
        guest ok = no
        invalid users = root
        browsable = no
        read only = no
        strict locking = no

[test]
        path = /test
        create mode = 0774
        directory mode = 0775
        browseable = yes
        public = no
        guest ok = no
        read only = no
        invalid users = root
        valid users = @foo
        veto files = /.??*/


The directory /test contains:

-rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file1.txt
-rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file2.txt
drwxrwx---. 2 root bar    36 Dec  9 16:32 restricted

The group "foo" is both filegroup and netgroup, containing the same
members. Samba version used is 4.2.3 (rhel7.2).

Regards,
-- 
Trond H. Amundsen <t.h.amundsen at usit.uio.no>
Center for Information Technology Services, University of Oslo

On 10/02/16 07:44, Trond Hasle Amundsen wrote:
> On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:
>> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote:
>>> Hi,
>>>
>>> I have an issue with using a UNIX filegroup for access control
within a
>>> share. The situation is like this:
>>>
>>> Given a share "test" which exports "/test" to a
NIS netgroup "foo", I
>>> want to limit access to the directory "/test/restricted"
to a specific
>>> filegroup "bar". All members of the filegroup
"bar" are also members of
>>> the netgroup "foo".
>>>
>>> This works fine with Samba 3.x, but not with Samba 4.x. When
setting
>>> owner/group to root/bar on "/test/restricted" and
mode=770, access is
>>> denied for all users.
>>>
>>> What can I do to make this work with Samba 4.x? Or is this simply
not
>>> possible anymore?
>> More details and smb.conf on exactly how you've set this up please
!
> Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know
> if more information is needed, or if there is something you'd like me
to
> try.
>
> [global]
>          auto services = homes
>          load printers = yes
>          print command = /usr/bin/ppr -r -P%p -J@%m -Xprint_errors=false
> -u%u@%M -Xsmbclient=true -Xusepstitle=true %s
>          printing = bsd
>          lpq command = /usr/bin/ppq -P%p
>          lpq cache time = 30
>          socket options = SO_KEEPALIVE TCP_NODELAY
>          deadtime = 60
>          unix charset = UTF8
>          unix extensions = no
>          wide links = yes
>          follow symlinks = yes
>          max protocol = SMB3
>          security = ads
>          client ntlmv2 auth = yes
>          lanman auth = no
>          ntlm auth = no
>          server schannel = yes
>          client signing = auto
>          password server = *
>          realm = EXAMPLE.COM
>          workgroup = EXAMPLE
>          disable netbios = yes
>          hostname lookups = yes
>          syslog = 0
>          time server = yes
>          domain logons = no
>
> [homes]
>          comment = Home
>          veto files = /.rsrc/
>          delete veto files = yes
>          nt acl support = no
>          inherit permissions = yes
>          guest ok = no
>          invalid users = root
>          browsable = no
>          read only = no
>          strict locking = no
>
> [test]
>          path = /test
>          create mode = 0774
>          directory mode = 0775
>          browseable = yes
>          public = no
>          guest ok = no
>          read only = no
>          invalid users = root
>          valid users = @foo
>          veto files = /.??*/
>
>
> The directory /test contains:
>
> -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file1.txt
> -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file2.txt
> drwxrwx---. 2 root bar    36 Dec  9 16:32 restricted
>
> The group "foo" is both filegroup and netgroup, containing the
same
> members. Samba version used is 4.2.3 (rhel7.2).
>
> Regards,
Are you using sssd or nlscd instead of winbind ?

Rowland

On Wed, 2016-02-10 at 09:20 +0000, Rowland penny wrote:
> On 10/02/16 07:44, Trond Hasle Amundsen wrote:
> > On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:
> >> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen
wrote:
> >>> Hi,
> >>>
> >>> I have an issue with using a UNIX filegroup for access control
within a
> >>> share. The situation is like this:
> >>>
> >>> Given a share "test" which exports "/test"
to a NIS netgroup "foo", I
> >>> want to limit access to the directory
"/test/restricted" to a specific
> >>> filegroup "bar". All members of the filegroup
"bar" are also members of
> >>> the netgroup "foo".
> >>>
> >>> This works fine with Samba 3.x, but not with Samba 4.x. When
setting
> >>> owner/group to root/bar on "/test/restricted" and
mode=770, access is
> >>> denied for all users.
> >>>
> >>> What can I do to make this work with Samba 4.x? Or is this
simply not
> >>> possible anymore?
> >> More details and smb.conf on exactly how you've set this up
please !
> > Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know
> > if more information is needed, or if there is something you'd like
me to
> > try.
> >
> > [global]
> >          auto services = homes
> >          load printers = yes
> >          print command = /usr/bin/ppr -r -P%p -J@%m
-Xprint_errors=false
> > -u%u@%M -Xsmbclient=true -Xusepstitle=true %s
> >          printing = bsd
> >          lpq command = /usr/bin/ppq -P%p
> >          lpq cache time = 30
> >          socket options = SO_KEEPALIVE TCP_NODELAY
> >          deadtime = 60
> >          unix charset = UTF8
> >          unix extensions = no
> >          wide links = yes
> >          follow symlinks = yes
> >          max protocol = SMB3
> >          security = ads
> >          client ntlmv2 auth = yes
> >          lanman auth = no
> >          ntlm auth = no
> >          server schannel = yes
> >          client signing = auto
> >          password server = *
> >          realm = EXAMPLE.COM
> >          workgroup = EXAMPLE
> >          disable netbios = yes
> >          hostname lookups = yes
> >          syslog = 0
> >          time server = yes
> >          domain logons = no
> >
> > [homes]
> >          comment = Home
> >          veto files = /.rsrc/
> >          delete veto files = yes
> >          nt acl support = no
> >          inherit permissions = yes
> >          guest ok = no
> >          invalid users = root
> >          browsable = no
> >          read only = no
> >          strict locking = no
> >
> > [test]
> >          path = /test
> >          create mode = 0774
> >          directory mode = 0775
> >          browseable = yes
> >          public = no
> >          guest ok = no
> >          read only = no
> >          invalid users = root
> >          valid users = @foo
> >          veto files = /.??*/
> >
> >
> > The directory /test contains:
> >
> > -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file1.txt
> > -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file2.txt
> > drwxrwx---. 2 root bar    36 Dec  9 16:32 restricted
> >
> > The group "foo" is both filegroup and netgroup, containing
the same
> > members. Samba version used is 4.2.3 (rhel7.2).
> 
> Are you using sssd or nlscd instead of winbind ?
SSSD is running, configured to use an OpenLDAP server (i.e. not AD) as
id and auth provider. We're not using nlscd. AD does not have the UNIX
extension (or whatever it's called), so UIDs and GIDs will differ
between AD and OpenLDAP/SSSD. Samba is the only service that uses AD.

We're running winbindd, simply because we experienced instability (can't
remember the details) without it on Samba 4.2/rhel7. We're not running
winbindd on Samba 3.6/rhel6. Winbind is running unconfigured (with
default configuration).

Regards,
-- 
Trond H. Amundsen <t.h.amundsen at usit.uio.no>
Center for Information Technology Services, University of Oslo