[Samba] Nested groups and machine account share access

Marko Cupać marko.cupac at mimar.rs
Fri Sep 30 11:44:57 UTC 2022 

Hi,

I have a share which is to be used for exporting mailboxes from
exchange server to .pst files:

[pstexport]
  path        = /zfspool01/smb/pstexport
  read only   = no
  vfs objects = zfsacl acl_xattr
  acl_xattr:ignore system acls = yes
  map acl inherit = yes
  inherit owner = yes

This share has the following ACL ("MYDOMAIN\samba admins" have full
permissions, "MYDOMAIN\samba_pstexport_rw" have modify permissions):

# file: /zfspool01/smb/pstexport
# owner: MYDOMAIN\samba admins
# group: MYDOMAIN\samba admins
group:MYDOMAIN\samba admins:rwxpDdaARWcCo-:fd-----:allow
group:MYDOMAIN\samba_pstexport_rw:rwxp-daARWc---:fd-----:allow
         everyone@:--------------:fd----I:allow

User accounts which are members of "MYDOMAIN\samba_pstexport_rw"
group can access share, create, modify and delete files and folders
inside of it.

Now, this share should also be accessible by "MYDOMAIN\exchange
trusted subsystem" group, as described here:

https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps#description

If I add "MYDOMAIN\exchange trusted subsystem" group into
"MYDOMAIN\samba_pstexport_rw" group and attempt an export, it does not
succeed. I get message in exchange:

Unable to open PST file '\\MYSAMBASERVER\pstexport\test.pst'.
Error details: Access to the path '\\MYSAMBASERVER\pstexport\test.pst'
is denied.

In log.smbd I see the following:

[2022/09/30 13:09:12.744930,  0]
../../source3/smbd/service.c:183(chdir_current_service)
chdir_current_service: vfs_ChDir(/zfspool01/smb/pstexport) failed:
Permission denied. Current token: uid=2022741, gid=2000515, 10 groups:
2022741 2000515 2005132 2010718 2005123 2005124 2005125 1000003 1000004
1000006

However, if I grant "MYDOMAIN\exchange trusted subsystem" group modify
right directly on the share, so it becomes:

# file: /zfspool01/smb/pstexport
# owner: MYDOMAIN\samba admins
# group: MYDOMAIN\samba admins
group:MYDOMAIN\exchange trusted subsystem:rwxp-daARWc---:fd-----:allow
group:MYDOMAIN\samba admins:rwxpDdaARWcCo-:fd-----:allow
group:MYDOMAIN\samba_pstexport_rw:rwxp-daARWc---:fd-----:allow
         everyone@:--------------:fd----I:allow 

...export succeeds.

It appears that exchange server is authenticating with machine account:

me at mybox:~ % getent passwd 2022741
MYDOMAIN\exchgsrv01$:*:2022741:2000515::/home/MYDOMAIN/exchgsrv01_:/bin/tcsh

Is there a way to make this work by means of nested group membership?

Thank you in advance,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

More information about the samba mailing list