[Samba] howto achieve 'hide unreadable' for msdfs symlinks

[Kees van Vloten]

On 16-04-2024 16:21, Konrad Jacobi via samba wrote:
> hi,
> on a samba domain member file server i'm using dfs root shares with 
> multiple msdfs symlinks pointing to other shares (on the same server), 
> which works fine. These linked shares have different access rights, 
> therefore a user might have access to one linked share but not to 
> another.
>
Another option is to specify the dfsroot "links" completely in smb.conf, 
like

[home]
         msdfs root = yes
         msdfs proxy = \fileserver\home
         comment = Home directory

Although  it does not support the hiding you want, at least it does not 
have requirements on the filesystem. Perhaps (@Jeremy) it is easier to 
implement some hiding mechanism on top of this configuration?

- Kees.


> Is there any option to hide msdfs-symlinks to shares that a user 
> cannot read? (the same as 'hide unreadable = yes' does for regular files)
>
> Windows Server does support what i need, i'm using calls like this on 
> windows: 'dfsutil property acl grant \\[server or namespace]\[the 
> link] [group|user]:RXW protect'. That's also available in dfsmgmt.msc 
> on a folder's properties.
>
> I thought of the "hide unreadable" option, but it only works on files 
> and directories, not symlinks (no surprise as symlinks are 777).
> My last idea was vfs_xattr, but it does not help either. I tried to 
> force xattr to symlinks via 'setfattr -h -n security.NTACL -v ... 
> [file]' and hoped it would be evaluated for the symlink by samba - 
> that doesn't seem to be the case.
> As dfs-symlinks are resolved by the client, the linked share's rights 
> could only be checked after resolving and accessing the symlinked 
> share by the client. To hide the symlink from the client, the server 
> would have to resolve the symlink or evaluate some ACL on the symlink 
> before (as mentioned above).
>
> I'd be grateful for ideas
> thanks
>
>
>