[Samba] Using filegroup for access control within a share
Rowland penny
rpenny at samba.org
Wed Feb 10 09:57:18 UTC 2016
On 10/02/16 09:41, Trond Hasle Amundsen wrote:
> On Wed, 2016-02-10 at 09:20 +0000, Rowland penny wrote:
>> On 10/02/16 07:44, Trond Hasle Amundsen wrote:
>>> On Tue, 2016-02-09 at 15:17 -0800, Jeremy Allison wrote:
>>>> On Mon, Feb 08, 2016 at 01:54:33PM +0100, Trond Hasle Amundsen wrote:
>>>>> Hi,
>>>>>
>>>>> I have an issue with using a UNIX filegroup for access control within a
>>>>> share. The situation is like this:
>>>>>
>>>>> Given a share "test" which exports "/test" to a NIS netgroup "foo", I
>>>>> want to limit access to the directory "/test/restricted" to a specific
>>>>> filegroup "bar". All members of the filegroup "bar" are also members of
>>>>> the netgroup "foo".
>>>>>
>>>>> This works fine with Samba 3.x, but not with Samba 4.x. When setting
>>>>> owner/group to root/bar on "/test/restricted" and mode=770, access is
>>>>> denied for all users.
>>>>>
>>>>> What can I do to make this work with Samba 4.x? Or is this simply not
>>>>> possible anymore?
>>>> More details and smb.conf on exactly how you've set this up please !
>>> Thanks Jeremy, the (slightly sanitized) smb.conf is below. Let me know
>>> if more information is needed, or if there is something you'd like me to
>>> try.
>>>
>>> [global]
>>> auto services = homes
>>> load printers = yes
>>> print command = /usr/bin/ppr -r -P%p -J@%m -Xprint_errors=false
>>> -u%u@%M -Xsmbclient=true -Xusepstitle=true %s
>>> printing = bsd
>>> lpq command = /usr/bin/ppq -P%p
>>> lpq cache time = 30
>>> socket options = SO_KEEPALIVE TCP_NODELAY
>>> deadtime = 60
>>> unix charset = UTF8
>>> unix extensions = no
>>> wide links = yes
>>> follow symlinks = yes
>>> max protocol = SMB3
>>> security = ads
>>> client ntlmv2 auth = yes
>>> lanman auth = no
>>> ntlm auth = no
>>> server schannel = yes
>>> client signing = auto
>>> password server = *
>>> realm = EXAMPLE.COM
>>> workgroup = EXAMPLE
>>> disable netbios = yes
>>> hostname lookups = yes
>>> syslog = 0
>>> time server = yes
>>> domain logons = no
>>>
>>> [homes]
>>> comment = Home
>>> veto files = /.rsrc/
>>> delete veto files = yes
>>> nt acl support = no
>>> inherit permissions = yes
>>> guest ok = no
>>> invalid users = root
>>> browsable = no
>>> read only = no
>>> strict locking = no
>>>
>>> [test]
>>> path = /test
>>> create mode = 0774
>>> directory mode = 0775
>>> browseable = yes
>>> public = no
>>> guest ok = no
>>> read only = no
>>> invalid users = root
>>> valid users = @foo
>>> veto files = /.??*/
>>>
>>>
>>> The directory /test contains:
>>>
>>> -rwxrwxr-x. 1 root foo 0 Dec 9 16:26 file1.txt
>>> -rwxrwxr-x. 1 root foo 0 Dec 9 16:26 file2.txt
>>> drwxrwx---. 2 root bar 36 Dec 9 16:32 restricted
>>>
>>> The group "foo" is both filegroup and netgroup, containing the same
>>> members. Samba version used is 4.2.3 (rhel7.2).
>> Are you using sssd or nlscd instead of winbind ?
> SSSD is running, configured to use an OpenLDAP server (i.e. not AD) as
> id and auth provider. We're not using nlscd. AD does not have the UNIX
> extension (or whatever it's called), so UIDs and GIDs will differ
> between AD and OpenLDAP/SSSD. Samba is the only service that uses AD.
If sssd is running and you are *not* using winbind for auth, then Samba
is probably not your problem.
At the moment I think that Samba knows nothing about your groups in
OpenLDAP.
I think you are going to have to choose between using Samba with AD or
Using Samba with Openldap as its auth source.
Rowland
>
> We're running winbindd, simply because we experienced instability (can't
> remember the details) without it on Samba 4.2/rhel7. We're not running
> winbindd on Samba 3.6/rhel6. Winbind is running unconfigured (with
> default configuration).
>
> Regards,
More information about the samba
mailing list