[Samba] Samba 4 security

[steve]

On 03/12/11 17:32, Matthieu Patou wrote:
> Steve
>>>
>>> Beware that on your machine where samba 4 DC is running file / folders
>>> needs to have guid/uid of your AD users not your linux users.
>>>
>
> Did you read this ^.
>>
>> Did a git pull ./configure.developer make and make install about an
>> hour ago.
>> And, well, something has changed. Now neither user can create nor
>> delete files!
>>
>> smbclient //hh3/homes
>> Password for [HH1\steve]:
>> smb: \> ls
>> . D 0 Wed Nov 30 20:37:48 2011
>> .. D 0 Fri Dec 2 07:15:17 2011
>> lynn D 0 Thu Dec 1 13:25:45 2011
>> steve D 0 Fri Dec 2 11:50:09 2011
>>
>> 29284192 blocks of size 512. 10550432 blocks available
>> smb: \> cd lynn
>> smb: \lynn\> mkdir h
>> NT_STATUS_ACCESS_DENIED making remote directory \lynn\h
>> smb: \lynn\> cd ../steve
>> smb: \steve\> mkdir h
>> NT_STATUS_ACCESS_DENIED making remote directory \steve\h
>> smb: \steve\>
>>
>> This has something to do with uid/gid no? But wait, both steve and
>> lynn _are_ AD users who just happen to have linux accounts.
>>
> No there is something that you missunderstand, the thing is that in
> order to do the file access control samba needs to know on the behalf of
> which uid/gid the access are done.
> With series of samba 3.x you have different way of doing this mapping or
> to create unix users that have the same name as the user declared in
> Samba (either in the local sam or in the NT domain sam), but most of the
> time now it's winbind that is used. In Samba AD there is just the
> winbind solution as other solution didn't have a real interest in the
> context of an active directory domain.
>
> So what winbind does ? it allocate a UID to users and GID to groups in a
> database it stores the association SID<->UID/GID and next time it is
> asked to translate the same SID to a UID/GID it will use the value in
> its database.
>
> In your particular case, when you connect to the samba AD with smbclient
> as AD user steve and try to create a dir the server checks the
> security.NTACL extended attribute, as it didn't exists it knows that it
> will have to translate posix rights to NT ACLs. At this moment in order
> to know if you are the owner of the parent directory or in group of the
> parent directory it will ask its internal winbind to translate user's
> SID and the SID of user's groups to UID and GID, and it will turn out
> that the UID of unix user steve is not at all the UID of AD user steve
> (which is in the 3000000+ range), as other translated posix rights
> didn't give any write rights to the AD user the directory creation was
> not created.
>
>
>
>> How do I change the gid/uid of my linux users to gid/uid AD users? Is
>> there a script? But that shouldn't matter no?
>>
>> Thinking you may want more info I'll leave it as it is for now. The
>> users are the same as they were before the new build. I did not delete
>> and recreate them.
> Sure this is the expected behavior, before there was a bug in the posix
> to NT ACLs translation that granted the write right even if you had just
> the read and execute right you can have the detail by looking at this
> changeset: d1274f7f6236b47a1c6aa1737b054ed521d31b67
>
> I don't really know your case but I think it's not such a problem at
> least so far nobody complained, on the DC you don't need to create unix
> account for the AD users. As you need to create directory for each user
> there is a couple of solution:
>
> 1) change the rights on the directory that is shared as "home" so that
> the group has a write right, then change group to be users (that's
> because we map the domain users group to the user unix group)
> 2) for each user connect using smbclient and create the directory of
> this user
>
> or
>
> For each user, use wbinfo -i <ad_user> and then create a folder for this
> user and use the uid obtained with wbinfo to set the owner of the
> directory.
>
> For instance on my test server I have:
>
> ./bin/wbinfo -i steve
> MATWS\steve:*:3000010:100::/home/MATWS/steve:/bin/false
>
> Note: first you have to do a ./bin/wbinfo -u and beware the first time
> it is _slow_
>
> Matthieu.
>
Hi Matthieu

Thanks for your patience. Yes, your clear explanation is excellent. I'm 
going to try it as soon as I get Samba 4 running again.

I reinstalled from nothing to get a clean slate. Now, DNS isn't working. 
The method of configuring as outlined in the wiki doesn't work anymore. 
The dns files in /usr/local/samba/private  have changed since my first 
install last week:( I've another thread open on this.

Thanks again
Steve.