Dir ACL through windows and chmod

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Dir ACL through windows and chmod

Samba - General mailing list
Samba-4.3.5, Debian

smb.conf
===
[global]
     workgroup = WG
     security = ADS
     realm = WG.LOCAL

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Samba 4 Client %h

     idmap config * : backend = tdb
     idmap config * : range = 2000-10000

     idmap config * : backend = rid
     idmap config * : range = 300000-400000

#    idmap config WG : backend = ad
#    idmap config WG : range = 300000-400000
#    idmap config WG : schema_mode = rfc2307

     winbind use default domain = yes
     winbind nss info = rfc2307
     winbind refresh tickets = yes

     # For ACL support on domain member
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     # Share Setting Globally
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

     max log size = 1000
     log level = 5 vfs:1
     syslog = 5

     load printers = no
     printing = bsd
     show add printer wizard = no
     disable spoolss = yes
     printcap name = /dev/null

#======================= Share Definitions =======================

[n]
      comment = File share
      path = /mnt/n
      read only = no
     valid users = @"Domain Users" @"Domain Admins" @all
     admin users = admin @it
#    inherit acls = yes
     force create mode = 0777
     directory mask = 0770
     hide unreadable = yes

===

getfacl /mnt/n/01
===
# file: 01
# owner: admin
# group: g01
user::rwx
user:u01:rwx
group::rwx
group:admin:rwx
group:g01:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx       #effective:---
default:user:u01:rwx             #effective:---
default:group::---
default:group:g01:rwx            #effective:---
default:mask::---
default:other::---
===

In need folders have to be seen (and accessed) only by appropriate
domain groups. For example, there are domain groups g01, g02, g03, etc,
users in these groups have to see only "their" folders: u01 -
\\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03
This is done by "Hide unreadable = yes" in smb.conf, by granting access
(using "Security" tab in windows' folder rights) for concrete group to
concrete directory and then chmod'ing this folder to 0770. But, if then
I again modify ACLs through "Security" (for example - adding another
group access to folder) samba sets 0777 to this folder and it becomes
"visible" to all others. And I have again set 0770 on Samba server.
This seems to work, but:
- not good to windows admins, which only has to know about "Security"
tab in folder rights;
- mixing ACLs with unix rights makes a mess and seems not right way to
solve task.

What is the "right way" to do such task?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dir ACL through windows and chmod

Samba - General mailing list
On Wed, 12 Apr 2017 11:26:15 +0300
Dmitry via samba <[hidden email]> wrote:

> In need folders have to be seen (and accessed) only by appropriate
> domain groups. For example, there are domain groups g01, g02, g03,
> etc, users in these groups have to see only "their" folders: u01 -
> \\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03
> This is done by "Hide unreadable = yes" in smb.conf, by granting
> access (using "Security" tab in windows' folder rights) for concrete
> group to concrete directory and then chmod'ing this folder to 0770.
> But, if then I again modify ACLs through "Security" (for example -
> adding another group access to folder) samba sets 0777 to this folder
> and it becomes "visible" to all others. And I have again set 0770 on
> Samba server. This seems to work, but:
> - not good to windows admins, which only has to know about "Security"
> tab in folder rights;
> - mixing ACLs with unix rights makes a mess and seems not right way
> to solve task.
>
> What is the "right way" to do such task?
>
>
>

You could investigate using 'access based share enum = yes'

and setting the permissions from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

You will also need to remove these lines:

     valid users = @"Domain Users" @"Domain Admins" @all
     admin users = admin @it
#    inherit acls = yes
     force create mode = 0777
     directory mask = 0770
     hide unreadable = yes

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dir ACL through windows and chmod

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 12.04.2017 at 10:26, Dmitry wrotE:
> granting access
> (using "Security" tab in windows' folder rights) for concrete group to
> concrete directory and then chmod'ing this folder to 0770.

Mixing Linux and Windows access rights does not work: Changing any
security bits or ACL in Linux causes the Windows ACL to be disabled. Use
only one or the other.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dir ACL through windows and chmod

Samba - General mailing list
In reply to this post by Samba - General mailing list
Thank you, but this did nothing. Users from group 'g02' can access
folder '01'. But this folder has ACL set up only for group 'g01'


> You could investigate using 'access based share enum = yes'
>
> and setting the permissions from Windows, see here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> You will also need to remove these lines:
>
>      valid users = @"Domain Users" @"Domain Admins" @all
>      admin users = admin @it
> #    inherit acls = yes
>      force create mode = 0777
>      directory mask = 0770
>      hide unreadable = yes
>
> Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dir ACL through windows and chmod

Samba - General mailing list
On Wed, 12 Apr 2017 15:48:10 +0300
Dmitry via samba <[hidden email]> wrote:

> Thank you, but this did nothing. Users from group 'g02' can access
> folder '01'. But this folder has ACL set up only for group 'g01'

Did you remove the lines from the share ?
Did you restart smbd, nmbd and winbind ?

can you post the result of:

ls -lad /path/to/01

getfacl /path/to/01

Rowland

>
>
> > You could investigate using 'access based share enum = yes'
> >
> > and setting the permissions from Windows, see here:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > You will also need to remove these lines:
> >
> >      valid users = @"Domain Users" @"Domain Admins" @all
> >      admin users = admin @it
> > #    inherit acls = yes
> >      force create mode = 0777
> >      directory mask = 0770
> >      hide unreadable = yes
> >
> > Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dir ACL through windows and chmod

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai,

Mixing postix and windows acl works fine here.

But for these shares you have to set : acl_xattr:ignore system acls = yes
on the share, resulting in, windows ignores the underlaying posix rights, but my linux users do get the rights on the systems itselve.

Its a bit fiddeling around until you get it, but it does work here.
Now setting the other way around wont work, like posix rights on the share. ( your example )

Setup like as followed.
Create the needed folder, set the needed posix rights on it.
Mixing them together. Give "domain users" a gid.
Set 2770 on the folder.

Now follow the wiki link Rowland send.
On the windows share security, the default is ok.
Windows folder security of the share.
And make sure you set "CREATOR GROUP"

I use this on my www data folders.
For example, system 1 generats the website. This is a system outside the windows domain and writes over nfsv3 to the webserver.
The webserver does contain the wwwdata folder with a windows share.

It shows like this :

( for the server that generates the sites.  ( debian wheezy )
ls -al /home/remote/webserver/www
-rwxr-xr-x+ 1 LINUX_USER_ON_SERVER1 LINUX_GROUP_ON_SERVER1  ..

The acl on "www"
# file: www/
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
group::r-x
group:root:r-x
group:2000:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

Now the webserver is a samba AD domain join server. ( debian jessie )
I needed nfsv4 and kerberos on that server.

ls -al /var/www/somefolder/
drwxr-sr-x+ 49 1001        2018 4096 Apr 11 10:38 www

# file: var/www/bazuin/www
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx                   #effective:r-x
group::r-x
group:root:r-x
group:2000:rwx                  #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:Win-AD-GROUP:rwx
default:mask::rwx
default:other::r-x

i looks messy because of unresolved uid/gid's

drwxrwsr-x+  9 root Win-AD-GROUP 4096 Sep  6  2016 changes1
drwxr-xr-x+ 35 1001        2018 4096 Sep 22  2016 changes2

but it does work.


Just test a bit before you go into production with it.

Systems used here in this setup.
Samba 3.6.x => writes over nfs v3. ( sco unix)
Samba 4.1.17 => writes over nfs v3 ( debian wheezy) ( was debian squeeze. )
Samba 4.5.8 AD DC. Does not write  ( debian jessie ) ( as of samba 4.1.x )
Samba 4.5.8 Webserver member AD. ( debian jessie ) writes from win pc.

Share :
[mysecret-www-folder$]
    browseable = yes
    path = /var/www
    read only = no
    acl_xattr:ignore system acl = yes


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Dmitry via samba
> Verzonden: woensdag 12 april 2017 14:48
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Dir ACL through windows and chmod
>
> Thank you, but this did nothing. Users from group 'g02' can access
> folder '01'. But this folder has ACL set up only for group 'g01'
>
>
> > You could investigate using 'access based share enum = yes'
> >
> > and setting the permissions from Windows, see here:
> >
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > You will also need to remove these lines:
> >
> >      valid users = @"Domain Users" @"Domain Admins" @all
> >      admin users = admin @it
> > #    inherit acls = yes
> >      force create mode = 0777
> >      directory mask = 0770
> >      hide unreadable = yes
> >
> > Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Dir ACL through windows and chmod

Samba - General mailing list
In reply to this post by Samba - General mailing list

Please keep on list ;-)


On Wed, 12 Apr 2017 16:31:45 +0300
[hidden email] wrote:

> > Did you remove the lines from the share ?
> Yes
>
> > Did you restart smbd, nmbd and winbind ?
> Yes
>
> > can you post the result of:
> > ls -lad /path/to/01
> drwxrwxr-x+ 4 admin g01 4096 Apr 12 15:36 01
>
>
> > getfacl /path/to/01
> # file: 01
> # owner: admin
> # group: g01
> user::rwx
> user:u01:rwx
> group::rwx
> group:admin:rwx
> group:g01:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:admin:rwx
> default:user:u01:rwx
> default:group::r-x
> default:group:g01:rwx
> default:mask::rwx
> default:other::r-x

From the 'getfacl': 'others' can read & execute, remove the ACE that is
allowing this.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...