[Samba] Nested groups and machine account share access
Marko Cupać
marko.cupac at mimar.rs
Fri Sep 30 11:44:57 UTC 2022
Hi,
I have a share which is to be used for exporting mailboxes from
exchange server to .pst files:
[pstexport]
path = /zfspool01/smb/pstexport
read only = no
vfs objects = zfsacl acl_xattr
acl_xattr:ignore system acls = yes
map acl inherit = yes
inherit owner = yes
This share has the following ACL ("MYDOMAIN\samba admins" have full
permissions, "MYDOMAIN\samba_pstexport_rw" have modify permissions):
# file: /zfspool01/smb/pstexport
# owner: MYDOMAIN\samba admins
# group: MYDOMAIN\samba admins
group:MYDOMAIN\samba admins:rwxpDdaARWcCo-:fd-----:allow
group:MYDOMAIN\samba_pstexport_rw:rwxp-daARWc---:fd-----:allow
everyone@:--------------:fd----I:allow
User accounts which are members of "MYDOMAIN\samba_pstexport_rw"
group can access share, create, modify and delete files and folders
inside of it.
Now, this share should also be accessible by "MYDOMAIN\exchange
trusted subsystem" group, as described here:
https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps#description
If I add "MYDOMAIN\exchange trusted subsystem" group into
"MYDOMAIN\samba_pstexport_rw" group and attempt an export, it does not
succeed. I get message in exchange:
Unable to open PST file '\\MYSAMBASERVER\pstexport\test.pst'.
Error details: Access to the path '\\MYSAMBASERVER\pstexport\test.pst'
is denied.
In log.smbd I see the following:
[2022/09/30 13:09:12.744930, 0]
../../source3/smbd/service.c:183(chdir_current_service)
chdir_current_service: vfs_ChDir(/zfspool01/smb/pstexport) failed:
Permission denied. Current token: uid=2022741, gid=2000515, 10 groups:
2022741 2000515 2005132 2010718 2005123 2005124 2005125 1000003 1000004
1000006
However, if I grant "MYDOMAIN\exchange trusted subsystem" group modify
right directly on the share, so it becomes:
# file: /zfspool01/smb/pstexport
# owner: MYDOMAIN\samba admins
# group: MYDOMAIN\samba admins
group:MYDOMAIN\exchange trusted subsystem:rwxp-daARWc---:fd-----:allow
group:MYDOMAIN\samba admins:rwxpDdaARWcCo-:fd-----:allow
group:MYDOMAIN\samba_pstexport_rw:rwxp-daARWc---:fd-----:allow
everyone@:--------------:fd----I:allow
...export succeeds.
It appears that exchange server is authenticating with machine account:
me at mybox:~ % getent passwd 2022741
MYDOMAIN\exchgsrv01$:*:2022741:2000515::/home/MYDOMAIN/exchgsrv01_:/bin/tcsh
Is there a way to make this work by means of nested group membership?
Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
More information about the samba
mailing list