samba - Nov 2020 - Samba4 with AD + Linux ACL's - permission problem

Hi experts,

I have a Samba4/AD scenario which is driving me crazy.

On some servers, I have the same volume mounted on /share. I am using some
different servers as gateways to export this content using HTTP, NFS, FTP
and CIFS. AD authentication is a must.

On the Linux machine where Samba is running, I have joined it to the domain
using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After this, I
was able to SSH to the server using my AD credentials.

Then, I joined Samba as domain member using "net ads join". And user
authentication on Samba using AD is working fine. The problem comes later...

Under /share, I hava a complex directory tree. On my Samba setup, what I
want is to configure just a single share, and every permission below this
share should be managed using Linux ACL's and AD groups. Reason: as I told
before, I'm exporting this share using other servers and I don't want my
customer having to manage smb.conf, httpd.conf, etc... every time he
creates a subdirectory.

Everything is working fine, until the point I assign a group permission to
a subdirectory. Example: user1 is a member of more than 20 AD groups,
including "srv-admin" (primary group is "domain users"). on
Linux, I made:

mkdir /share/dir1
chown root:srv-admin /share/dir1
chmod 770 /share/dir1
ls -ld /share/dir1:
drwxrwx---. 4 root srv-admin 4096 Nov  9 15:36 /share/dir1

When the user logs in via SSH, he can enter the directory and create files,
as expected. When the user mounts the share via CIFS, he can't enter the
directory or create files. Looks like Samba (looking at the logs) is seeing
just it's primary group (domain users), not the supplementary groups.

Here is my smb.conf:

[global]
   workgroup = MYDOMAIN
   realm = MYDOMAIN.ORG.BR
   security = ads
   idmap config MYDOMAIN:schema-mode rfc2307
   idmap config MYDOMAIN:range = 15777216-9999999999
   idmap config MYDOMAIN:backend = ad
   idmap config * : range = 1000-2000
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = no
   winbind offline logon = false
   netbios name = SAMBA1
   server string = SAMBA1
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes
[ibira]
   comment = Samba share
   path = /share
   browseable = yes
   read only = no
   valid users = +"Domain Users"


Again, I don't want to use "force group", "write list"
etc directives on
the Samba share. What I need to do is make Samba understand the Linux
ACL's, as if the user was logged in via ssh.

What am I doing wrong?

Thanks and regards,

Andr? Aun

On 11/11/2020 02:40, Andr? Aun via samba wrote:
> Hi experts,
>
> I have a Samba4/AD scenario which is driving me crazy.
>
> On some servers, I have the same volume mounted on /share. I am using some
> different servers as gateways to export this content using HTTP, NFS, FTP
> and CIFS. AD authentication is a must.
>
> On the Linux machine where Samba is running, I have joined it to the domain
> using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After this, I
> was able to SSH to the server using my AD credentials.
>
> Then, I joined Samba as domain member using "net ads join". And
user
> authentication on Samba using AD is working fine. The problem comes
later...
>
> Under /share, I hava a complex directory tree. On my Samba setup, what I
> want is to configure just a single share, and every permission below this
> share should be managed using Linux ACL's and AD groups. Reason: as I
told
> before, I'm exporting this share using other servers and I don't
want my
> customer having to manage smb.conf, httpd.conf, etc... every time he
> creates a subdirectory.
>
> Everything is working fine, until the point I assign a group permission to
> a subdirectory. Example: user1 is a member of more than 20 AD groups,
> including "srv-admin" (primary group is "domain
users"). on Linux, I made:
>
> mkdir /share/dir1
> chown root:srv-admin /share/dir1
> chmod 770 /share/dir1
> ls -ld /share/dir1:
> drwxrwx---. 4 root srv-admin 4096 Nov  9 15:36 /share/dir1
>
> When the user logs in via SSH, he can enter the directory and create files,
> as expected. When the user mounts the share via CIFS, he can't enter
the
> directory or create files. Looks like Samba (looking at the logs) is seeing
> just it's primary group (domain users), not the supplementary groups.
>
> Here is my smb.conf:
>
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.ORG.BR
>     security = ads
>     idmap config MYDOMAIN:schema-mode rfc2307
>     idmap config MYDOMAIN:range = 15777216-9999999999
>     idmap config MYDOMAIN:backend = ad
>     idmap config * : range = 1000-2000
>     template shell = /bin/bash
>     kerberos method = secrets only
>     winbind use default domain = no
>     winbind offline logon = false
>     netbios name = SAMBA1
>     server string = SAMBA1
>     log level = 3
>     log file = /var/log/samba/%m
>     max log size = 50
>     printcap name = cups
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> [ibira]
>     comment = Samba share
>     path = /share
>     browseable = yes
>     read only = no
>     valid users = +"Domain Users"
>
>
> Again, I don't want to use "force group", "write
list" etc directives on
> the Samba share.
Good, because you cannot use 'force group' etc
>   What I need to do is make Samba understand the Linux
> ACL's, as if the user was logged in via ssh.
No, you want to, but logging in via SSH and Samba is
different.
>
> What am I doing wrong?
>
Oh lots, one of which is that you only have one share and you are not 
only sharing it via Samba, you are also sharing it via NFS and they use 
different ACL's.

Can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

Ronald, thanks for pointing me to the right direction. I will now drive 100
km to get into the customer office, and the first thing I will do is read
this document.

I have been scratching my head for some days on this problem. If I consider
only my Samba share (forgetting about NFS, etc), why am I getting a
permission denied error with user1?

Regards,

Andr? Aun

Em qua., 11 de nov. de 2020 ?s 05:50, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 11/11/2020 02:40, Andr? Aun via samba wrote:
> > Hi experts,
> >
> > I have a Samba4/AD scenario which is driving me crazy.
> >
> > On some servers, I have the same volume mounted on /share. I am using
> some
> > different servers as gateways to export this content using HTTP, NFS,
FTP
> > and CIFS. AD authentication is a must.
> >
> > On the Linux machine where Samba is running, I have joined it to the
> domain
> > using PBIS (domainjoin-cli join [DomainName [DomainAccount]). After
> this, I
> > was able to SSH to the server using my AD credentials.
> >
> > Then, I joined Samba as domain member using "net ads join".
And user
> > authentication on Samba using AD is working fine. The problem comes
> later...
> >
> > Under /share, I hava a complex directory tree. On my Samba setup, what
I
> > want is to configure just a single share, and every permission below
this
> > share should be managed using Linux ACL's and AD groups. Reason:
as I
> told
> > before, I'm exporting this share using other servers and I
don't want my
> > customer having to manage smb.conf, httpd.conf, etc... every time he
> > creates a subdirectory.
> >
> > Everything is working fine, until the point I assign a group
permission
> to
> > a subdirectory. Example: user1 is a member of more than 20 AD groups,
> > including "srv-admin" (primary group is "domain
users"). on Linux, I
> made:
> >
> > mkdir /share/dir1
> > chown root:srv-admin /share/dir1
> > chmod 770 /share/dir1
> > ls -ld /share/dir1:
> > drwxrwx---. 4 root srv-admin 4096 Nov  9 15:36 /share/dir1
> >
> > When the user logs in via SSH, he can enter the directory and create
> files,
> > as expected. When the user mounts the share via CIFS, he can't
enter the
> > directory or create files. Looks like Samba (looking at the logs) is
> seeing
> > just it's primary group (domain users), not the supplementary
groups.
> >
> > Here is my smb.conf:
> >
> > [global]
> >     workgroup = MYDOMAIN
> >     realm = MYDOMAIN.ORG.BR
> >     security = ads
> >     idmap config MYDOMAIN:schema-mode rfc2307
> >     idmap config MYDOMAIN:range = 15777216-9999999999
> >     idmap config MYDOMAIN:backend = ad
> >     idmap config * : range = 1000-2000
> >     template shell = /bin/bash
> >     kerberos method = secrets only
> >     winbind use default domain = no
> >     winbind offline logon = false
> >     netbios name = SAMBA1
> >     server string = SAMBA1
> >     log level = 3
> >     log file = /var/log/samba/%m
> >     max log size = 50
> >     printcap name = cups
> >     winbind enum users = Yes
> >     winbind enum groups = Yes
> >     vfs objects = acl_xattr
> >     map acl inherit = Yes
> >     store dos attributes = Yes
> > [ibira]
> >     comment = Samba share
> >     path = /share
> >     browseable = yes
> >     read only = no
> >     valid users = +"Domain Users"
> >
> >
> > Again, I don't want to use "force group", "write
list" etc directives on
> > the Samba share.
> Good, because you cannot use 'force group' etc
> >   What I need to do is make Samba understand the Linux
> > ACL's, as if the user was logged in via ssh.
> No, you want to, but logging in via SSH and Samba is different.
> >
> > What am I doing wrong?
> >
> Oh lots, one of which is that you only have one share and you are not
> only sharing it via Samba, you are also sharing it via NFS and they use
> different ACL's.
>
> Can I suggest you read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>