samba - Jun 2019 - samba file server - sediskoperatorprivilege not being honored

Hello,

I've been setting up new file server using samba 4.8.3 (centos 7 RPM), 
as samba 4 AD member server using my earlier smb.conf when I realised 
that I was  previously somewhat circumventing the 
SeDiskOperatorPrivilege by using "admin users map" to SAMDOM\Domain 
admins" parameter in smb.conf.

I decided to change my smb.conf and setup shares following samba wiki.

All shares are going to be used strictly by windows clients (AD domain 
members), so I've followed closely samba wiki.

I granted both SAMDOM\domain admins  and SAMDOM\myuser  the 
SeDiskOperatorPrivilege, but still I'm unable to change ACL from windows 
client, even when I'm logged in as SAMDOM\myuser (which belongs to 
SAMDOM\domain admins group) to windows client.

My smb.conf:

[global]
        netbios name = VS-FILES1
        security = ADS
        workgroup = SAMDOM
        realm = MY.REALM.COM

        log level = 1
        log file = /var/log/samba/%m.log
         max log size = 2000
         logging = syslog at 2 file
        idmap config *:backend = tdb
        idmap config *:range = 2000-7000

        idmap config SAMDOM:backend = rid
        idmap config SAMDOM:range = 100000-110000

         winbind enum users = no
         winbind enum groups = no
         winbind nested groups = yes
         winbind expand groups = 3
         winbind refresh tickets = yes
         winbind use default domain = no
         winbind offline logon = yes

         template shell = /bin/bash
         template homedir = /home/%U@%D

         kerberos method = secrets and keytab

         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         vfs objects = acl_xattr full_audit recycle

         full_audit:prefix = %u|%I|%M|%S
         full_audit:failure = connect
         full_audit:success =  mkdir rmdir write rename pwrite unlink
         full_audit:priority = NOTICE

         recycle:repository = .recycle
         recycle:keeptree = yes
         recycle:versions = yes
         recycle:touch_mtime = yes
         recycle:exclude = *.tmp, *.bak, *.ods#, *.odt#, *.xls#, *.TMP, 
*.cache
         recycle:exclude_dir = .recycle
         recycle:maxsize = 1073741824


        store dos attributes = yes
         map acl inherit = yes

#        admin users = "@BABKA\Domain Admins","@BABKA\Enterprise
Admins"

[MYSHARE]
         path = /srv/samba/myshare/
         read only = no


output of

net rpc rights list privileges SeDiskOperatorPrivilege -U
"SAMDOM\administrator" -S VS-FILES1

SeDiskOperatorPrivilege:
   SAMDOM\myuser
   SAMDOM\Domain Admins
   BUILTIN\Administrators

getfacl myshare
# file: myshare
# owner: root
# group: root
user::rwx
group::r-x
other::r-x


THe only way to set ACL through windows is either:
- set owner (user/group) and grant rwx permissions
( e.g. chown "SAMDOM\myuser" myshare
chmod 0770 myshare)
OR
- uncomment "admin users" line


Otherwise I'm getting denied error from windows client ("unable to list
folder contents"). Is this expected? According to wiki setting
"SeDiskOperatorPrivilege" should be enough, but isn't. Winbind is
working correctly, I can get reasonable output from all wbinfo commands, all ACL
set (with either of the methods) stick and are respected.

I'd like to know if I have some error in my configuration and if so, to fix
it.

For quite some time I've been simply using samba file server with
"admin users=....", that's why I didn't run into this issue
before, but I found some scenarios where this setting has some drawbacks and
I'd like to move away from it.


Regards,
Kacper



---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus

Hello,

Since nobody picked this up I will try to answer myself (hopefully 
correctly).

I think I just misread documentation on wiki, but I would really 
appreciate a clarification. In the wiki it states:

"To enable other accounts than the domain administrator to set 
permissions on Windows, grant |Full control| (|rwx|) to the user or 
group you granted the |SeDiskOperatorPrivilege| privilege."

Does the "domain administrator" mean EXACTLY the default
"Administrator"
user, or should I understand it as "any member of Domain Admins
group"?
If it's the former, than there is no issue (I can change share ACL from 
windows client using Administrator without changing any of the 
permissions i.e. owner:group can stay as root:root), if it's the latter, 
than I have anissue, since none other user from Domain Admins can change 
any ACL, unless i change owner/group or add  initial ACL to domain 
admins (or any other user/group i gave sediskoperatorprivilege)

I suspect it's the former, but if not, than I'm doing something wrong.

Regards,

Kacper

W dniu 29.05.2019 o 10:12, Kacper Wirski via samba
pisze:
> Hello,
>
> I've been setting up new file server using samba 4.8.3 (centos 7 RPM), 
> as samba 4 AD member server using my earlier smb.conf when I realised 
> that I was  previously somewhat circumventing the 
> SeDiskOperatorPrivilege by using "admin users map" to
SAMDOM\Domain
> admins" parameter in smb.conf.
>
> I decided to change my smb.conf and setup shares following samba wiki.
>
> All shares are going to be used strictly by windows clients (AD domain 
> members), so I've followed closely samba wiki.
>
> I granted both SAMDOM\domain admins  and SAMDOM\myuser  the 
> SeDiskOperatorPrivilege, but still I'm unable to change ACL from 
> windows client, even when I'm logged in as SAMDOM\myuser (which 
> belongs to SAMDOM\domain admins group) to windows client.
>
> My smb.conf:
>
> [global]
>        netbios name = VS-FILES1
>        security = ADS
>        workgroup = SAMDOM
>        realm = MY.REALM.COM
>
>        log level = 1
>        log file = /var/log/samba/%m.log
>         max log size = 2000
>         logging = syslog at 2 file
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-7000
>
>        idmap config SAMDOM:backend = rid
>        idmap config SAMDOM:range = 100000-110000
>
>         winbind enum users = no
>         winbind enum groups = no
>         winbind nested groups = yes
>         winbind expand groups = 3
>         winbind refresh tickets = yes
>         winbind use default domain = no
>         winbind offline logon = yes
>
>         template shell = /bin/bash
>         template homedir = /home/%U@%D
>
>         kerberos method = secrets and keytab
>
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>
>         vfs objects = acl_xattr full_audit recycle
>
>         full_audit:prefix = %u|%I|%M|%S
>         full_audit:failure = connect
>         full_audit:success =  mkdir rmdir write rename pwrite unlink
>         full_audit:priority = NOTICE
>
>         recycle:repository = .recycle
>         recycle:keeptree = yes
>         recycle:versions = yes
>         recycle:touch_mtime = yes
>         recycle:exclude = *.tmp, *.bak, *.ods#, *.odt#, *.xls#, *.TMP, 
> *.cache
>         recycle:exclude_dir = .recycle
>         recycle:maxsize = 1073741824
>
>
>        store dos attributes = yes
>         map acl inherit = yes
>
> #        admin users = "@BABKA\Domain
Admins","@BABKA\Enterprise Admins"
>
> [MYSHARE]
>         path = /srv/samba/myshare/
>         read only = no
>
>
> output of
>
> net rpc rights list privileges SeDiskOperatorPrivilege -U 
> "SAMDOM\administrator" -S VS-FILES1
>
> SeDiskOperatorPrivilege:
>   SAMDOM\myuser
>   SAMDOM\Domain Admins
>   BUILTIN\Administrators
>
> getfacl myshare
> # file: myshare
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
>
>
> THe only way to set ACL through windows is either:
> - set owner (user/group) and grant rwx permissions
> ( e.g. chown "SAMDOM\myuser" myshare
> chmod 0770 myshare)
> OR
> - uncomment "admin users" line
>
>
> Otherwise I'm getting denied error from windows client ("unable to
> list folder contents"). Is this expected? According to wiki setting 
> "SeDiskOperatorPrivilege" should be enough, but isn't.
Winbind is
> working correctly, I can get reasonable output from all wbinfo 
> commands, all ACL set (with either of the methods) stick and are 
> respected.
>
> I'd like to know if I have some error in my configuration and if so, 
> to fix it.
>
> For quite some time I've been simply using samba file server with 
> "admin users=....", that's why I didn't run into this
issue before,
> but I found some scenarios where this setting has some drawbacks and 
> I'd like to move away from it.
>
>
> Regards,
> Kacper
>
>
>
> ---
> Ta wiadomość została sprawdzona na obecność wirusów przez 
> oprogramowanie antywirusowe Avast.
> https://www.avast.com/antivirus

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus

On 03/06/2019 12:29, Kacper Wirski via samba wrote:
> Hello,
>
> Since nobody picked this up I will try to answer myself (hopefully 
> correctly).
>
> I think I just misread documentation on wiki, but I would really 
> appreciate a clarification. In the wiki it states:
>
> "To enable other accounts than the domain administrator to set 
> permissions on Windows, grant |Full control| (|rwx|) to the user or 
> group you granted the |SeDiskOperatorPrivilege| privilege."
>
> Does the "domain administrator" mean EXACTLY the default 
> "Administrator" user, 
Drat, something else to fix ;-)

Yes, 'domain administrator' does mean 'Administrator' who needs
to be
mapped to 'root'.

However, if you set the group ownership to another group (which must be 
an AD group known to the OS), then members of that group, provided the 
group has been granted 'SeDiskOperatorPrivilege', will be able to make 
the required changes
> or should I understand it as "any member of Domain Admins group"?
If
> it's the former, than there is no issue (I can change share ACL from 
> windows client using Administrator without changing any of the 
> permissions i.e. owner:group can stay as root:root), if it's the 
> latter, than I have anissue, since none other user from Domain Admins 
> can change any ACL, unless i change owner/group or add initial ACL to 
> domain admins (or any other user/group i gave sediskoperatorprivilege)
I wouldn't use 'Domain Admins' if you are using the winbind
'ad' backend
on a Unix domain member, it would mean that it would become just a group 
and 'Domain Admins' needs to be both a group & a user on Samba AD
DC's

Rowland