samba - Aug 2018 - using Windows AD unwanted Group rights get applied to new Files

Hi,

we have some Samba shares joined a existing Windows AD.
Everything works well with complex user rights.
But the problem ist that when a user creates a new file the standard windows
group (domain-user) is also applied as a permission to the file. This breaks all
the security because all users have now full acess to this file. (because all
users are in the domain-user group)
All parent directories do not have this permission set. Where does it come from?

Thank you

On Mon, 6 Aug 2018 21:27:41 +0000
VELARTIS Philipp Dürhammer via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> we have some Samba shares joined a existing Windows AD.
> Everything works well with complex user rights.
> But the problem ist that when a user creates a new file the standard
> windows group (domain-user) is also applied as a permission to the
> file. This breaks all the security because all users have now full
> acess to this file. (because all users are in the domain-user group)
> All parent directories do not have this permission set. Where does it
> come from?
> 
> Thank you
It comes from the user ;-)

What OS ?

What Samba version ?

Can you post your smb.conf

Rowland

On Tue, 7 Aug 2018 11:52:31 +0000
VELARTIS Philipp Dürhammer <p.duerhammer at velartis.at> wrote:
> HI,
> 
> Ubuntu 16.04 newest Updates. Windows 2016 Server RD and
> Domaincontroller. When we set the rights through windows everything
> is fine. But creating Files on Windows Share adds allways the primary
> group "Domänen-Benutzer" to the file. And every user is in this
> group. This just breaks permissions...
Can I suggest you remove these lines:

        idmap uid = 10000-100000000
        idmap gid = 10000-100000000
        password server = dc1.vhh.local, dc2.vhh.local
        wins server 10.0.118.2 10.0.118.3
        encrypt passwords = true
        client use spnego = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind use default domain = true
        winbind offline logon = false
        dns forwarder = 10.0.118.2
        idmap_ldb:use rfc2307 = yes

They are either default settings, deprecated or just plain shouldn't be
in a Unix domain members smb.conf

You also have in the [sc1_main] share:

       writeable = yes
       read only = no

You only need one, I am sure if you look hard enough at those lines,
you will realise they mean the same thing ;-)

We now come to your real problem, where did you get this from ?

        idmap backend = idmap_rid:VHH=10000-100000000

I would have expected something like this:

        idmap config * : backend = tdb
        idmap config * : range = 2000-9999
        idmap config VHH : backend = rid
        idmap config VHH : range = 10000-999999

Not that it would help you with your problem with 'Domain Users'.
By default, every AD user is a member of 'Domain Users' and so, when
you use the 'rid' backend every Unix user gets the group as their
primary group.

The only way to change this is by using a version of Samba >= 4.6.0 and
use the 'ad' backend and idmap config lines similar to these:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config VHH : backend = ad
    idmap config VHH : schema_mode = rfc2307
    idmap config VHH : unix_nss_info = yes
    idmap config VHH : unix_primary_group = yes
    idmap config VHH : range = 10000-999999

You would then need to give all your users a unique uidNumber attribute
containing a number inside the range you set in smb.conf, you would
also need to give the user a gidNumber attribute containing the
gidNumber of the required group to use instead of 'Domain Users'.

Rowland

On 08/07/2018 08:38 AM, Rowland Penny via samba wrote:
> On Tue, 7 Aug 2018 11:52:31 +0000
...
> 
>      idmap config *:backend = tdb
>      idmap config *:range = 2000-9999
>      idmap config VHH : backend = ad
>      idmap config VHH : schema_mode = rfc2307
>      idmap config VHH : unix_nss_info = yes
>      idmap config VHH : unix_primary_group = yes
>      idmap config VHH : range = 10000-999999
> 
> You would then need to give all your users a unique uidNumber attribute
> containing a number inside the range you set in smb.conf, you would
> also need to give the user a gidNumber attribute containing the
> gidNumber of the required group to use instead of 'Domain Users'.
> 
> Rowland
> 
Greetings, just making note for feature request that could help in the 
future. One of the reasons we decided to use SSSD instead of winbind on 
our domain members was the SSSD AD domain option:

   auto_private_groups = True

That synthesize private groups for all domain users. Winbind with the 
algorithmic mapping provided by the rid backend would have been 
sufficient if it had an option like this one. We did not wanted to give 
the Window domain admin too much power defining posix uid and gid 
attributes on the Linux servers.

On Tue, 7 Aug 2018 13:34:30 +0000
VELARTIS Philipp Dürhammer <p.duerhammer at velartis.at> wrote:
> Ok so the config is generally a problem. I can try to change that.
> What i do not understand is 
> 
> >>You would then need to give all your users a unique uidNumber
> >>attribute containing a number inside the range you set in smb.conf,
> >>you would also need to give the user a gidNumber attribute
> >>containing the gidNumber of the required group to use instead of
> >>>>'Domain Users'.
> This is rella ycomplicated. 
It isn't once you get head around it ;-)
> How do users normaly use samba with a
> windows AD server without breaking security concept by bypassing all
> user right sharing the same group? 
They just don't allow 'Domain Users' access to the share.
>I could also give every user on
> the AD server a unique group... but thats a real hack...
Yes, It is .

Rowland