[Samba] Using filegroup for access control within a share

Trond Hasle Amundsen t.h.amundsen at usit.uio.no
Wed Feb 10 09:41:03 UTC 2016 

On Wed, 2016-02-10 at 09:20 +0000, Rowland penny wrote:
> On 10/02/16 07:44, Trond Hasle Amundsen wrote:
> > On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:
> >> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote:
> >>> Hi,
> >>>
> >>> I have an issue with using a UNIX filegroup for access control within a
> >>> share. The situation is like this:
> >>>
> >>> Given a share "test" which exports "/test" to a NIS netgroup "foo", I
> >>> want to limit access to the directory "/test/restricted" to a specific
> >>> filegroup "bar". All members of the filegroup "bar" are also members of
> >>> the netgroup "foo".
> >>>
> >>> This works fine with Samba 3.x, but not with Samba 4.x. When setting
> >>> owner/group to root/bar on "/test/restricted" and mode=770, access is
> >>> denied for all users.
> >>>
> >>> What can I do to make this work with Samba 4.x? Or is this simply not
> >>> possible anymore?
> >> More details and smb.conf on exactly how you've set this up please !
> > Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know
> > if more information is needed, or if there is something you'd like me to
> > try.
> >
> > [global]
> >          auto services = homes
> >          load printers = yes
> >          print command = /usr/bin/ppr -r -P%p -J@%m -Xprint_errors=false
> > -u%u@%M -Xsmbclient=true -Xusepstitle=true %s
> >          printing = bsd
> >          lpq command = /usr/bin/ppq -P%p
> >          lpq cache time = 30
> >          socket options = SO_KEEPALIVE TCP_NODELAY
> >          deadtime = 60
> >          unix charset = UTF8
> >          unix extensions = no
> >          wide links = yes
> >          follow symlinks = yes
> >          max protocol = SMB3
> >          security = ads
> >          client ntlmv2 auth = yes
> >          lanman auth = no
> >          ntlm auth = no
> >          server schannel = yes
> >          client signing = auto
> >          password server = *
> >          realm = EXAMPLE.COM
> >          workgroup = EXAMPLE
> >          disable netbios = yes
> >          hostname lookups = yes
> >          syslog = 0
> >          time server = yes
> >          domain logons = no
> >
> > [homes]
> >          comment = Home
> >          veto files = /.rsrc/
> >          delete veto files = yes
> >          nt acl support = no
> >          inherit permissions = yes
> >          guest ok = no
> >          invalid users = root
> >          browsable = no
> >          read only = no
> >          strict locking = no
> >
> > [test]
> >          path = /test
> >          create mode = 0774
> >          directory mode = 0775
> >          browseable = yes
> >          public = no
> >          guest ok = no
> >          read only = no
> >          invalid users = root
> >          valid users = @foo
> >          veto files = /.??*/
> >
> >
> > The directory /test contains:
> >
> > -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file1.txt
> > -rwxrwxr-x. 1 root foo     0 Dec  9 16:26 file2.txt
> > drwxrwx---. 2 root bar    36 Dec  9 16:32 restricted
> >
> > The group "foo" is both filegroup and netgroup, containing the same
> > members. Samba version used is 4.2.3 (rhel7.2).
> 
> Are you using sssd or nlscd instead of winbind ?

SSSD is running, configured to use an OpenLDAP server (i.e. not AD) as
id and auth provider. We're not using nlscd. AD does not have the UNIX
extension (or whatever it's called), so UIDs and GIDs will differ
between AD and OpenLDAP/SSSD. Samba is the only service that uses AD.

We're running winbindd, simply because we experienced instability (can't
remember the details) without it on Samba 4.2/rhel7. We're not running
winbindd on Samba 3.6/rhel6. Winbind is running unconfigured (with
default configuration).

Regards,
-- 
Trond H. Amundsen <t.h.amundsen at usit.uio.no>
Center for Information Technology Services, University of Oslo

More information about the samba mailing list