samba - Sep 2020 - ACLs, groups and suid-bit?

On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> On 08/09/2020 13:55, Harald Hannelius wrote:
>> 
>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>>> 
>>>> Hello,
>>>> 
>>>> I have users in Samba AD with uid- and gidnumbers. I also have
group
>>>> objects with gidNumbers.
>>>> 
>>>> I have a Samba member server (all servers Samba 4.9.5-Debian)
that have
>>>> one share and a lot of directories.
>>>> 
>>>> The directory permissions are set as a specific group as owner,
and the
>>>> group write and suid bit are set.
>>>> 
>>>> ?drwxrwsr-x 2 root thegroup? 4096 Sep? 8 15:25 groupdir
>>>> 
>>>> This worked fine in Samba 3. However, now when people are
storing files
>>>> in the dir the file doesn't get group ownership
'thegroup' nor does it
>>>> get write permission bit set.
>>>> 
>>>> Is there a new and improved way to accomplish this now?
>>>> 
>>>> 
>>> Can we see the smb.conf? from your Unix domain member before we
comment.
>> 
>> [global]
>> ????dedicated keytab file = /etc/krb5.keytab
>> ????disable spoolss = Yes
>> ????kerberos method = secrets and keytab
>> ????load printers = No
>> ????printcap name = /dev/null
>> ????realm = SAD.DOMAIN.COM
>> ????security = ADS
>> ????username map = /etc/samba/user.map
>> ????utmp = Yes
>> ????winbind cache time = 20
>> ????winbind enum groups = Yes
>> ????winbind enum users = Yes
>> ????winbind refresh tickets = Yes
>> ????winbind use default domain = Yes
>> ????workgroup = SAD
>> ????idmap config sad:unix_primary_group = yes
>> ????idmap config sad:unix_nss_info = yes
>> ????idmap config sad:range = 500-4000000
>> ????idmap config sad:schema_mode = rfc2307
>> ????idmap config sad:backend = ad
>> ????idmap config * : range = 5000000-9000000
>> ????idmap config * : backend = tdb
>> ????map acl inherit = Yes
>> ????printing = bsd
>> ????vfs objects = acl_xattr
>> 
>> 
>> [intra]
>> ????create mask = 0665
>> ????directory mask = 02775
>> ????path = /tftpboot/intra
>> ????read only = No
>> 
>> 
> Is there some reason you started your uidNumber & gidNumber attributes
at 500
> ?
Yes, our users' uidNumber range starts from a little over 500. This is 
baggage from the 1990's. I don't think Redhat's "start at
1000" was even
thought of back then.
> The 'new and improved way' is to make use of this:
>
> vfs objects = acl_xattr
This doesn't say much to me (reading the man-page of smb.conf). Does it mean
to store ACL's in the extra attributes in the underlying filesystem?
> You set the permissions from Windows, try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
If I don't have a Windows computer, can I use setfacl or chmod?

Can I just stop using ACL's and go back to the old way of reading the 
permissions from the unix permissions? User's don't know how to,
don't have
the interest to, or don't want to do this themselves. Nor do I want to 
manage the ACL's at all, most certainly not through a GUI (on Windows).

I have to test 'inherit permissions (S)' as well.

What I want is for new files in the directory to have the same (unix) group 
ownership as the directory has. And that they have write permission for that 
unix-group.

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On Tue, 8 Sep 2020, Harald Hannelius via samba wrote:
> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>> On 08/09/2020 13:55, Harald Hannelius wrote:
>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> I have users in Samba AD with uid- and gidnumbers. I also
have group
>>>>> objects with gidNumbers.
>>>>> 
>>>>> I have a Samba member server (all servers Samba
4.9.5-Debian) that have
>>>>> one share and a lot of directories.
>>>>> 
>>>>> The directory permissions are set as a specific group as
owner, and the
>>>>> group write and suid bit are set.
>>>>> 
>>>>> ?drwxrwsr-x 2 root thegroup? 4096 Sep? 8 15:25 groupdir
>>>>> 
>>>>> This worked fine in Samba 3. However, now when people are
storing files
>>>>> in the dir the file doesn't get group ownership
'thegroup' nor does it
>>>>> get write permission bit set.
>>>>> 
>>>>> Is there a new and improved way to accomplish this now?
>>>>> 
>>>>> 
>>>> Can we see the smb.conf? from your Unix domain member before we
comment.
>>> 
>>> [global]
>>> ????dedicated keytab file = /etc/krb5.keytab
>>> ????disable spoolss = Yes
>>> ????kerberos method = secrets and keytab
>>> ????load printers = No
>>> ????printcap name = /dev/null
>>> ????realm = SAD.DOMAIN.COM
>>> ????security = ADS
>>> ????username map = /etc/samba/user.map
>>> ????utmp = Yes
>>> ????winbind cache time = 20
>>> ????winbind enum groups = Yes
>>> ????winbind enum users = Yes
>>> ????winbind refresh tickets = Yes
>>> ????winbind use default domain = Yes
>>> ????workgroup = SAD
>>> ????idmap config sad:unix_primary_group = yes
>>> ????idmap config sad:unix_nss_info = yes
>>> ????idmap config sad:range = 500-4000000
>>> ????idmap config sad:schema_mode = rfc2307
>>> ????idmap config sad:backend = ad
>>> ????idmap config * : range = 5000000-9000000
>>> ????idmap config * : backend = tdb
>>> ????map acl inherit = Yes
>>> ????printing = bsd
>>> ????vfs objects = acl_xattr
>>> 
>>> 
>>> [intra]
>>> ????create mask = 0665
>>> ????directory mask = 02775
>>> ????path = /tftpboot/intra
>>> ????read only = No
>>> 
>>> 
>> Is there some reason you started your uidNumber & gidNumber
attributes at
>> 500 ?
>
> Yes, our users' uidNumber range starts from a little over 500. This is 
> baggage from the 1990's. I don't think Redhat's "start at
1000" was even
> thought of back then.
>
>> The 'new and improved way' is to make use of this:
>> 
>> vfs objects = acl_xattr
>
> This doesn't say much to me (reading the man-page of smb.conf). Does it
mean
> to store ACL's in the extra attributes in the underlying filesystem?
>
>> You set the permissions from Windows, try reading this:
>> 
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If I don't have a Windows computer, can I use setfacl or chmod?
>
> Can I just stop using ACL's and go back to the old way of reading the 
> permissions from the unix permissions? User's don't know how to,
don't have
> the interest to, or don't want to do this themselves. Nor do I want to
manage
> the ACL's at all, most certainly not through a GUI (on Windows).
>
> I have to test 'inherit permissions (S)' as well.
>
> What I want is for new files in the directory to have the same (unix) group
> ownership as the directory has. And that they have write permission for
that
> unix-group.
This does what I want

[intra]
 	create mask = 0665
 	directory mask = 02775
 	inherit permissions = Yes
 	nt acl support = No
 	path = /tftpboot/intra
 	read only = No


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On 08/09/2020 14:43, Harald Hannelius wrote:
>
> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>> On 08/09/2020 13:55, Harald Hannelius wrote:
>>>
>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I have users in Samba AD with uid- and gidnumbers. I also
have
>>>>> group objects with gidNumbers.
>>>>>
>>>>> I have a Samba member server (all servers Samba
4.9.5-Debian) that
>>>>> have one share and a lot of directories.
>>>>>
>>>>> The directory permissions are set as a specific group as
owner,
>>>>> and the group write and suid bit are set.
>>>>>
>>>>> ?drwxrwsr-x 2 root thegroup? 4096 Sep? 8 15:25 groupdir
>>>>>
>>>>> This worked fine in Samba 3. However, now when people are
storing
>>>>> files in the dir the file doesn't get group ownership
'thegroup'
>>>>> nor does it get write permission bit set.
>>>>>
>>>>> Is there a new and improved way to accomplish this now?
>>>>>
>>>>>
>>>> Can we see the smb.conf? from your Unix domain member before we
>>>> comment.
>>>
>>> [global]
>>> ????dedicated keytab file = /etc/krb5.keytab
>>> ????disable spoolss = Yes
>>> ????kerberos method = secrets and keytab
>>> ????load printers = No
>>> ????printcap name = /dev/null
>>> ????realm = SAD.DOMAIN.COM
>>> ????security = ADS
>>> ????username map = /etc/samba/user.map
>>> ????utmp = Yes
>>> ????winbind cache time = 20
>>> ????winbind enum groups = Yes
>>> ????winbind enum users = Yes
>>> ????winbind refresh tickets = Yes
>>> ????winbind use default domain = Yes
>>> ????workgroup = SAD
>>> ????idmap config sad:unix_primary_group = yes
>>> ????idmap config sad:unix_nss_info = yes
>>> ????idmap config sad:range = 500-4000000
>>> ????idmap config sad:schema_mode = rfc2307
>>> ????idmap config sad:backend = ad
>>> ????idmap config * : range = 5000000-9000000
>>> ????idmap config * : backend = tdb
>>> ????map acl inherit = Yes
>>> ????printing = bsd
>>> ????vfs objects = acl_xattr
>>>
>>>
>>> [intra]
>>> ????create mask = 0665
>>> ????directory mask = 02775
>>> ????path = /tftpboot/intra
>>> ????read only = No
>>>
>>>
>> Is there some reason you started your uidNumber & gidNumber 
>> attributes at 500 ?
>
> Yes, our users' uidNumber range starts from a little over 500. This is 
> baggage from the 1990's. I don't think Redhat's "start at
1000" was
> even thought of back then.
Debian was using '1000' long before red-hat decided to change from 
'500', but the problem is, you cannot have any local Unix
users.
>
>> The 'new and improved way' is to make use of this:
>>
>> vfs objects = acl_xattr
>
> This doesn't say much to me (reading the man-page of smb.conf). Does 
> it mean to store ACL's in the extra attributes in the underlying 
> filesystem?
Yes, it works like this:

there is the normal Unix 'ugo' permissions

Then there are permissions that can be set with setfacl, these are 
stored in an acl

Finally there are the permissions that are created from Windows which 
are stored? in extended attributes.
>
>> You set the permissions from Windows, try reading this:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If I don't have a Windows computer, can I use setfacl or chmod?
You could try setfacl
>
> Can I just stop using ACL's and go back to the old way of reading the 
> permissions from the unix permissions? User's don't know how to,
don't
> have the interest to, or don't want to do this themselves. Nor do I 
> want to manage the ACL's at all, most certainly not through a GUI (on 
> Windows).
No, you are running an AD domain now.
>
> I have to test 'inherit permissions (S)' as well.
>
> What I want is for new files in the directory to have the same (unix) 
> group ownership as the directory has. And that they have write 
> permission for that unix-group.
OK, stop using your group, (which raises a question: you have (unix) 
above, does this mean a group in /etc/group or a group in AD with a 
gidNumber attribute ?), use Domain Users instead, all yours are members 
of Domain Users.

Rowland

On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> On 08/09/2020 14:43, Harald Hannelius wrote:
>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>> On 08/09/2020 13:55, Harald Hannelius wrote:
>>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
>>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
[snip]
>>> The 'new and improved way' is to make use of this:
>>> 
>>> vfs objects = acl_xattr
>> 
>> This doesn't say much to me (reading the man-page of smb.conf).
Does it
>> mean to store ACL's in the extra attributes in the underlying
filesystem?
>
> Yes, it works like this:
>
> there is the normal Unix 'ugo' permissions
>
> Then there are permissions that can be set with setfacl, these are stored
in
> an acl
>
> Finally there are the permissions that are created from Windows which are 
> stored? in extended attributes.
Thanks.
>>> You set the permissions from Windows, try reading this:
>>> 
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>> 
>> If I don't have a Windows computer, can I use setfacl or chmod?
> You could try setfacl
Good, until now I haven't even used ACL on that filesystem. setgid and chmod
have been enough until now.
>> Can I just stop using ACL's and go back to the old way of reading
the
>> permissions from the unix permissions? User's don't know how
to, don't have
>> the interest to, or don't want to do this themselves. Nor do I want
to
>> manage the ACL's at all, most certainly not through a GUI (on
Windows).
> No, you are running an AD domain now.
As per my other reply that (sadly) forked this thread 'nt acl support =
No'
and 'inherit permissions = Yes' did exactly what I wanted.

I couldn't understand why files created in a directory with group
'it' and
setgid set didn't get to be owned by the group 'it' but rather by
the group
'users'.
>> I have to test 'inherit permissions (S)' as well.
>> 
>> What I want is for new files in the directory to have the same (unix)
group
>> ownership as the directory has. And that they have write permission for
>> that unix-group.
> OK, stop using your group, (which raises a question: you have (unix) above,
> does this mean a group in /etc/group or a group in AD with a gidNumber 
> attribute ?), use Domain Users instead, all yours are members of Domain 
> Users.
By unix-group I actually meant the group on the filesystem (gidNumber). This 
resolves through winbind to an AD-group.

But now I have directories each with their own group, and with the 
setgid- and write-bit set. And directories created under this get the 
same group owner ship as the parent dir, the group write- and setgid bit, 
and files created get the group ownership of the parent dir and the group 
write bit set.

I think it's best for this implementation to not use ACL's.


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

Forgot the send this yesterday, but here you go. 

For anyone that wants a better understanding of linux rights and acl's AND
windows.
Play with this. 

And yes, its a lot of folders that are created here, but it is usefull..
It creates with install (chmod+chown+mkdir in one) the folders.
For example. 1700 give in windows 
1. Creator Owner.
7. owner 
0 deny
0 deny

But there are more and lots dont use it. 
So a little script that creates the folders for you and you can play and check
rights.


#!/bin/bash 

# Put a path from a share in here. 
FOLDER_IN_SHARE=/srv/samba/share/

mkdir $FOLDER_IN_SHARE/test
cd $FOLDER_IN_SHARE/test

# creating some rights. 
# the first of 4 of the rights
for A in 1 2 3 4 5 6 7
do
  # the second of 4 of the rights. I only used 7 and 5 (x7xx) (x5xx)
  # you can add more, but more is more folders.. 
  for B in 7 5
  do
    # the thirth of 4 of the rights. 
    for C in 7 5
    do
        # last number of 4 of the rights.
	  for D in 0 1 5 7
	  do
		# install does, mkdir, chown, chmod in one go.
	  	# Create folder testfolder-XXXX owner root, group root, with rights ABCD
        	install -d testfolder-${A}${B}${C}${D} -oroot -groot -m${A}${B}${C}${D}
	  done
    done
  done
done
cd ..
exit 0


Now, get a windows pc, login as the Domain Administrator
And look up the rights in windows from all folders created. 
Add a group, see what i does. 

Try, without adding UID/GIDS before you change a security setting
And try wil you added UID/GIDS before you change a security setting

And verify the rights with getfacl

And now you know that. 
Stop using chmod, start using [s,g]etfacl ;-) 
You can use mkdir/install/chmod/chown when you setup the first folders. 

But once you use them in windows, stop useing chmod/chown
But you can make it youself more easy by, setting up a folder from within
windows, completely
And use samba-tool to copy the SDDL. (Security Descriptor Definition Language)
An example shown here, how i do it. 

https://github.com/thctlo/samba4/blob/master/samba-fix-userhome-recursive.sh 

Good luck..


Greetz, 

Louis 
(Invest in yourself, its the cheapest way to gain.)
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Harald Hannelius via samba
> Verzonden: dinsdag 8 september 2020 16:45
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] ACLs, groups and suid-bit?
> 
> 
> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> > On 08/09/2020 14:43, Harald Hannelius wrote:
> >> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> >>> On 08/09/2020 13:55, Harald Hannelius wrote:
> >>>> On Tue, 8 Sep 2020, Rowland penny via samba wrote:
> >>>>> On 08/09/2020 13:27, Harald Hannelius via samba wrote:
> [snip]
> >>> The 'new and improved way' is to make use of this:
> >>> 
> >>> vfs objects = acl_xattr
> >> 
> >> This doesn't say much to me (reading the man-page of 
> smb.conf). Does it 
> >> mean to store ACL's in the extra attributes in the 
> underlying filesystem?
> >
> > Yes, it works like this:
> >
> > there is the normal Unix 'ugo' permissions
> >
> > Then there are permissions that can be set with setfacl, 
> these are stored in 
> > an acl
> >
> > Finally there are the permissions that are created from 
> Windows which are 
> > stored? in extended attributes.
> 
> Thanks.
> 
> >>> You set the permissions from Windows, try reading this:
> >>> 
> >>> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >> 
> >> If I don't have a Windows computer, can I use setfacl or
chmod?
> > You could try setfacl
> 
> Good, until now I haven't even used ACL on that filesystem. 
> setgid and chmod 
> have been enough until now.
> 
> >> Can I just stop using ACL's and go back to the old way of 
> reading the 
> >> permissions from the unix permissions? User's don't know 
> how to, don't have 
> >> the interest to, or don't want to do this themselves. Nor 
> do I want to 
> >> manage the ACL's at all, most certainly not through a GUI 
> (on Windows).
> > No, you are running an AD domain now.
> 
> As per my other reply that (sadly) forked this thread 'nt acl 
> support = No' 
> and 'inherit permissions = Yes' did exactly what I wanted.
> 
> I couldn't understand why files created in a directory with 
> group 'it' and 
> setgid set didn't get to be owned by the group 'it' but 
> rather by the group 
> 'users'.
> 
> >> I have to test 'inherit permissions (S)' as well.
> >> 
> >> What I want is for new files in the directory to have the 
> same (unix) group 
> >> ownership as the directory has. And that they have write 
> permission for 
> >> that unix-group.
> > OK, stop using your group, (which raises a question: you 
> have (unix) above, 
> > does this mean a group in /etc/group or a group in AD with 
> a gidNumber 
> > attribute ?), use Domain Users instead, all yours are 
> members of Domain 
> > Users.
> 
> By unix-group I actually meant the group on the filesystem 
> (gidNumber). This 
> resolves through winbind to an AD-group.
> 
> But now I have directories each with their own group, and with the 
> setgid- and write-bit set. And directories created under this get the 
> same group owner ship as the parent dir, the group write- and 
> setgid bit, 
> and files created get the group ownership of the parent dir 
> and the group 
> write bit set.
> 
> I think it's best for this implementation to not use ACL's.
> 
> 
> -- 
> 
> Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>