VELARTIS Philipp Dürhammer
2018-Aug-06 21:27 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
Hi, we have some Samba shares joined a existing Windows AD. Everything works well with complex user rights. But the problem ist that when a user creates a new file the standard windows group (domain-user) is also applied as a permission to the file. This breaks all the security because all users have now full acess to this file. (because all users are in the domain-user group) All parent directories do not have this permission set. Where does it come from? Thank you
Rowland Penny
2018-Aug-07 07:57 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On Mon, 6 Aug 2018 21:27:41 +0000 VELARTIS Philipp Dürhammer via samba <samba at lists.samba.org> wrote:> Hi, > > we have some Samba shares joined a existing Windows AD. > Everything works well with complex user rights. > But the problem ist that when a user creates a new file the standard > windows group (domain-user) is also applied as a permission to the > file. This breaks all the security because all users have now full > acess to this file. (because all users are in the domain-user group) > All parent directories do not have this permission set. Where does it > come from? > > Thank youIt comes from the user ;-) What OS ? What Samba version ? Can you post your smb.conf Rowland
Rowland Penny
2018-Aug-07 12:38 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On Tue, 7 Aug 2018 11:52:31 +0000 VELARTIS Philipp Dürhammer <p.duerhammer at velartis.at> wrote:> HI, > > Ubuntu 16.04 newest Updates. Windows 2016 Server RD and > Domaincontroller. When we set the rights through windows everything > is fine. But creating Files on Windows Share adds allways the primary > group "Domänen-Benutzer" to the file. And every user is in this > group. This just breaks permissions...Can I suggest you remove these lines: idmap uid = 10000-100000000 idmap gid = 10000-100000000 password server = dc1.vhh.local, dc2.vhh.local wins server 10.0.118.2 10.0.118.3 encrypt passwords = true client use spnego = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = true winbind offline logon = false dns forwarder = 10.0.118.2 idmap_ldb:use rfc2307 = yes They are either default settings, deprecated or just plain shouldn't be in a Unix domain members smb.conf You also have in the [sc1_main] share: writeable = yes read only = no You only need one, I am sure if you look hard enough at those lines, you will realise they mean the same thing ;-) We now come to your real problem, where did you get this from ? idmap backend = idmap_rid:VHH=10000-100000000 I would have expected something like this: idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config VHH : backend = rid idmap config VHH : range = 10000-999999 Not that it would help you with your problem with 'Domain Users'. By default, every AD user is a member of 'Domain Users' and so, when you use the 'rid' backend every Unix user gets the group as their primary group. The only way to change this is by using a version of Samba >= 4.6.0 and use the 'ad' backend and idmap config lines similar to these: idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config VHH : backend = ad idmap config VHH : schema_mode = rfc2307 idmap config VHH : unix_nss_info = yes idmap config VHH : unix_primary_group = yes idmap config VHH : range = 10000-999999 You would then need to give all your users a unique uidNumber attribute containing a number inside the range you set in smb.conf, you would also need to give the user a gidNumber attribute containing the gidNumber of the required group to use instead of 'Domain Users'. Rowland
Robert Marcano
2018-Aug-07 13:02 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On 08/07/2018 08:38 AM, Rowland Penny via samba wrote:> On Tue, 7 Aug 2018 11:52:31 +0000...> > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config VHH : backend = ad > idmap config VHH : schema_mode = rfc2307 > idmap config VHH : unix_nss_info = yes > idmap config VHH : unix_primary_group = yes > idmap config VHH : range = 10000-999999 > > You would then need to give all your users a unique uidNumber attribute > containing a number inside the range you set in smb.conf, you would > also need to give the user a gidNumber attribute containing the > gidNumber of the required group to use instead of 'Domain Users'. > > Rowland >Greetings, just making note for feature request that could help in the future. One of the reasons we decided to use SSSD instead of winbind on our domain members was the SSSD AD domain option: auto_private_groups = True That synthesize private groups for all domain users. Winbind with the algorithmic mapping provided by the rid backend would have been sufficient if it had an option like this one. We did not wanted to give the Window domain admin too much power defining posix uid and gid attributes on the Linux servers.
Rowland Penny
2018-Aug-07 13:54 UTC
[Samba] using Windows AD unwanted Group rights get applied to new Files
On Tue, 7 Aug 2018 13:34:30 +0000 VELARTIS Philipp Dürhammer <p.duerhammer at velartis.at> wrote:> Ok so the config is generally a problem. I can try to change that. > What i do not understand is > > >>You would then need to give all your users a unique uidNumber > >>attribute containing a number inside the range you set in smb.conf, > >>you would also need to give the user a gidNumber attribute > >>containing the gidNumber of the required group to use instead of > >>>>'Domain Users'. > This is rella ycomplicated.It isn't once you get head around it ;-)> How do users normaly use samba with a > windows AD server without breaking security concept by bypassing all > user right sharing the same group?They just don't allow 'Domain Users' access to the share.>I could also give every user on > the AD server a unique group... but thats a real hack...Yes, It is . Rowland
Reasonably Related Threads
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files
- using Windows AD unwanted Group rights get applied to new Files