[Samba] Samba not respecting directory acls inside a share

[Fabian Fritz]

Am Di., 20. Nov. 2018 um 20:27 Uhr schrieb Jeremy Allison <jra at samba.org>:
>
> On Tue, Nov 20, 2018 at 07:19:40PM +0100, Fabian Fritz via samba wrote:
> > Hi,
> >
> > we are running Samba 4.9.2 on Solaris 10 connected to AD as a member
> > with some share:
> >
> > [refb]
> > path = /samba/refb
> > browseable = no
> > valid users = +"AM\refb_users"
> > writeable = yes
> > force user = AM\qui
> > force group = AM\refb_users
> >
> > All the samba users and groups come from AD through nss_winbind.
> >
> > Inside /samba/refb/ I created a sub directory test_a and set the owner
> > (in Solaris via chown) to AM\refba_users. I also set chmod 770. My
> > assumption would be that anyone that is a member of group refb_users
> > should be able to access the share and those who are also members of
> > the group refba_users should be able to read and write to the
> > directory test_a.
> >
> > But actually when I access the share as a member of refb_users (which
> > works) on a Windows Client I am also able to access the directory
> > test_a, even though I am not a member of the owner group refba_users.
> > I would expect that Samba examines the POSIX owner group and denies
> > access to anyone who is not a member of that group.
>
> Anyone who access the share is being forced to be
>
> uid = AM\qui
> primary gid = AM\refb_users
>
> so all users accessing this share are being seen
> as the same user/group. That's what setting "force user"
> and "force group" does.

Ah, okay - but still: the owner group is AM\refba_users and AM\qui is
not a member of that group. So even if someone is "forced" to be user
AM\qui with group AM\refb_users, they shouldn't be able to access a
directory owned by AM\refba_users.