samba - Nov 2018 - Samba not respecting directory acls inside a share

Hi,

we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
with some share:

[refb]
path = /samba/refb
browseable = no
valid users = +"AM\refb_users"
writeable = yes
force user = AM\qui
force group = AM\refb_users

All the samba users and groups come from AD through nss_winbind.

Inside /samba/refb/ I created a sub directory test_a and set the owner
(in Solaris via chown) to AM\refba_users. I also set chmod 770. My
assumption would be that anyone that is a member of group refb_users
should be able to access the share and those who are also members of
the group refba_users should be able to read and write to the
directory test_a.

But actually when I access the share as a member of refb_users (which
works) on a Windows Client I am also able to access the directory
test_a, even though I am not a member of the owner group refba_users.
I would expect that Samba examines the POSIX owner group and denies
access to anyone who is not a member of that group.

Is this expected behavior? Is there some option I have to set in the
smb.conf that I've missed? I haven't looked into extended attributes
yet, but this doesn't seem like a very advanced requirement.

Thanks,
Fabian

On Tue, Nov 20, 2018 at 07:19:40PM +0100, Fabian Fritz via samba
wrote:
> Hi,
> 
> we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
> with some share:
> 
> [refb]
> path = /samba/refb
> browseable = no
> valid users = +"AM\refb_users"
> writeable = yes
> force user = AM\qui
> force group = AM\refb_users
> 
> All the samba users and groups come from AD through nss_winbind.
> 
> Inside /samba/refb/ I created a sub directory test_a and set the owner
> (in Solaris via chown) to AM\refba_users. I also set chmod 770. My
> assumption would be that anyone that is a member of group refb_users
> should be able to access the share and those who are also members of
> the group refba_users should be able to read and write to the
> directory test_a.
> 
> But actually when I access the share as a member of refb_users (which
> works) on a Windows Client I am also able to access the directory
> test_a, even though I am not a member of the owner group refba_users.
> I would expect that Samba examines the POSIX owner group and denies
> access to anyone who is not a member of that group.
Anyone who access the share is being forced to be

uid = AM\qui
primary gid = AM\refb_users

so all users accessing this share are being seen
as the same user/group. That's what setting "force user"
and "force group" does.

On Tue, 20 Nov 2018 11:27:51 -0800
Jeremy Allison via samba <samba at lists.samba.org> wrote:
> On Tue, Nov 20, 2018 at 07:19:40PM +0100, Fabian Fritz via samba
> wrote:
> > Hi,
> > 
> > we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
> > with some share:
> > 
> > [refb]
> > path = /samba/refb
> > browseable = no
> > valid users = +"AM\refb_users"
> > writeable = yes
> > force user = AM\qui
> > force group = AM\refb_users
> > 
> > All the samba users and groups come from AD through nss_winbind.
> > 
> > Inside /samba/refb/ I created a sub directory test_a and set the
> > owner (in Solaris via chown) to AM\refba_users. I also set chmod
> > 770. My assumption would be that anyone that is a member of group
> > refb_users should be able to access the share and those who are
> > also members of the group refba_users should be able to read and
> > write to the directory test_a.
> > 
> > But actually when I access the share as a member of refb_users
> > (which works) on a Windows Client I am also able to access the
> > directory test_a, even though I am not a member of the owner group
> > refba_users. I would expect that Samba examines the POSIX owner
> > group and denies access to anyone who is not a member of that group.
> 
> Anyone who access the share is being forced to be
> 
> uid = AM\qui
> primary gid = AM\refb_users
> 
> so all users accessing this share are being seen
> as the same user/group. That's what setting "force user"
> and "force group" does.
> 
You beat me to it Jeremy ;-)
The OP would probably be better of doing two things, use two shares and
use Windows ACL's.

Rowland

Am Di., 20. Nov. 2018 um 20:27 Uhr schrieb Jeremy Allison <jra at
samba.org>:
>
> On Tue, Nov 20, 2018 at 07:19:40PM +0100, Fabian Fritz via samba wrote:
> > Hi,
> >
> > we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
> > with some share:
> >
> > [refb]
> > path = /samba/refb
> > browseable = no
> > valid users = +"AM\refb_users"
> > writeable = yes
> > force user = AM\qui
> > force group = AM\refb_users
> >
> > All the samba users and groups come from AD through nss_winbind.
> >
> > Inside /samba/refb/ I created a sub directory test_a and set the owner
> > (in Solaris via chown) to AM\refba_users. I also set chmod 770. My
> > assumption would be that anyone that is a member of group refb_users
> > should be able to access the share and those who are also members of
> > the group refba_users should be able to read and write to the
> > directory test_a.
> >
> > But actually when I access the share as a member of refb_users (which
> > works) on a Windows Client I am also able to access the directory
> > test_a, even though I am not a member of the owner group refba_users.
> > I would expect that Samba examines the POSIX owner group and denies
> > access to anyone who is not a member of that group.
>
> Anyone who access the share is being forced to be
>
> uid = AM\qui
> primary gid = AM\refb_users
>
> so all users accessing this share are being seen
> as the same user/group. That's what setting "force user"
> and "force group" does.
Ah, okay - but still: the owner group is AM\refba_users and AM\qui is
not a member of that group. So even if someone is "forced" to be user
AM\qui with group AM\refb_users, they shouldn't be able to access a
directory owned by AM\refba_users.