[Samba] FreeNAS/Samba Group Permissions with LDAP

Charles Tryon charles.tryon at gmail.com
Thu Dec 8 14:50:29 MST 2011 

I'm not sure if this is an LDAP issue, a Samba issue, a BSD issue or a
FreeNAS issue...

I'm working at migrating a large block of file shares from an aging
CentOS/Samba 3.0.9 server to a FreeNAS (8.0.2) server.  (The FreeNAS box is
running FreeBSD 8.2-RELEASE-p3 and Samba 3.5.11.)  I will eventually be
migrating the entire domain and user base off of that server, but for the
time being, I have set up a process where I mirror the user and group
information from the Samba 3 domain to an LDAP (fedora 389) server.  (Long
story...)  I'm syncing the actual folders from the current production
server to the FreeNAS volumes, through either NFS or rsync.  This maintains
all the original group and owner permissions on the files and directories.

One of the things I like about the FreeNAS server is that it can be
configured to talk to either AD (MS or Samba4) or LDAP.  I have logged in
to the NAS and using the "getent" command, confirmed that it correctly
understands both the users and the groups from LDAP.  One interesting
difference between LDAP and AD is that, when you use "getent passwd" (or
"getent group"), the AD users are of the form "DOMAIN\username", while the
LDAP users just list the name.

THE PROBLEM I AM SEEING is in setting access permissions based on secondary
group membership.

When I use the simple Unix owner/group/other permissions on our original
Samba server, I can effectively control which Windows users have permission
to read or write to files and folders based on what group owns the files,
and the groups the users are a member of.  I can also specify through the
Samba configuration which groups are allowed to map the share ("valid users
= @groupname").

However, my observation in FreeNAS is that, using LDAP, THIS DOESN'T WORK.
If I set the Unix folder permissions in a share to "770", then the actual
owner of the file/folder can open it up, but not other users who are in the
group.  The only way to grant access to other users is to set the
permissions to "777" and open it up to the world.  Also, the "valid users"
parameter in the Samba conf file doesn't work with a group name.  If I
specify a group, then noone can map the share.

One interesting thing is, if I use AD (Samba4) as the source of users and
groups, and the group based permissions (either "valid users" or through
Unix group permissions) all seem to work as expected, both to allow and
disallow users by their group membership.

I've done a great deal of googling around, and have found lots of people
reporting similar problems, but no one with a solution...  :-(  Is there
any way to check how the Samba subsystem on the FreeNAS server is
validating group membership?


/etc/local/smb.conf (generated through the FreeNAS GUI):
[global]
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    read raw = yes
    write raw = yes
    oplocks = yes
    max xmit = 65535
    deadtime = 15
    display charset = LOCALE
    max log size = 10
    syslog only = yes
    syslog = yes
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    getwd cache = yes
    guest account = nobody
    map to guest = Bad Password
    netbios name = freenas2
    workgroup = OMUSA
    server string = FreeNAS Server
    large readwrite = no
    ea support = yes
    store dos attributes = yes
    local master = yes
    security = user
    passdb backend = ldapsam:ldap://abraham
    ldap admin dn = cn=Directory manager
    ldap suffix = dc=usa,dc=om,dc=org
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap ssl = off
    ldap replication sleep = 1000
    ldap passwd sync = yes
    #ldap debug level = 1
    #ldap debug threshold = 1
    ldapsam:trusted = yes
    idmap uid = 10000-39999
    idmap gid = 10000-39999
    create mask = 0666
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 10
    aio read size = 1
    aio write size = 1

[homes]
    comment = Home Directories
    valid users = %U
    writable = yes
    browseable = no
    path = /mnt/Vol1/home/users/%U

[dept-it]
    path = /mnt/Vol1/groups/computer
    printable = no
    veto files = /.snap/.windows/
    comment = IT Department
    writeable = yes
    browseable = yes
    inherit owner = no
    inherit permissions = no
    vfs objects = zfsacl
    hosts allow = 10.4.0.0/23
    inherit acls = Yes
    map archive = No
    map readonly = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = yes
valid users=@computer

-- 
    Charles Tryon
_________________________________________________________________________
      "It's the job that's never started that takes longest to finish."
                                 -- Samwise Gamgee

More information about the samba mailing list