SMB 4.6 Member Server Improper ACLs being set

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SMB 4.6 Member Server Improper ACLs being set

Samba - General mailing list
Hello,

I recently upgraded from centos release 7.3 to 7.4 and samba 4.6.2 and
noticed that when files/folders are added or manipulated from a windows PC
via the share, extra ACLs get applied and i cannot figure out why. Nothing
has changed configuration wise and i have tried all variations i can think
of of different map settings, downgraded several releases of samba (4.4.4
failed to load due to some dependency issues).

I spun up a templated centos VM to test and found the same issue as my
physical server.

im sharing /vault and heres the permission set of the folder:
[root@template vault]# getfacl .
# file: .
# owner: root
# group: root
user::rwx
group::rwx
group:user_perm_storage_admin:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:user_perm_storage_admin:rwx
default:mask::rwx
default:other::---

if i map a share from a windows or linux machine back to this via samba and
create a folder/file, it looks like this:

[root@template vault]# getfacl test/
# file: test/
# owner: ryan.goode
# group: domain\040users
user::rwx
user:10513:rwx
user:14608:rwx
group::rwx
group:domain\040users:rwx
group:ryan.goode:rwx
group:user_perm_storage_admin:rwx
mask::rwx
other::---
default:user::rwx
default:user:ryan.goode:rwx
default:user:14608:rwx
default:group::rwx
default:group:domain\040users:rwx
default:group:user_perm_storage_admin:rwx
default:mask::rwx
default:other::---

The ACLs im refering to as being erroneous are:
user:10513:rwx
user:14608:rwx
default:user:14608:rwx

These correspond to groups in AD as seen here:

[root@template vault]# getent group | grep 14608
user_perm_storage_admin:x:14608:
[root@template vault]# getent group | grep 10513
domain users:x:10513:

This wasnt happening when i originally setup these ACLs on my storage
server and im trying to prevent this from happening further before it hoses
my permission set.

Im at a loss for what to do next and google has yielded no useful
information that i can find.

Any thoughts?
- - - -
smb.conf:
#--authconfig--start-line--

# Generated by authconfig on 2017/04/14 06:41:51
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = AD
   realm = AD.ALLGOODE.US
   security = ads
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = true

#--authconfig--end-line--
server string = Samba Server Version %v

idmap config * : backend = tdb
idmap config * : range = 5000 - 9999
idmap config AD : backend = rid
idmap config AD : range = 10000-20000

#winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind cache time = 7200
winbind nested groups = yes

ea support = yes
passdb backend = tdbsam

#log file = /var/log/samba/log.%m
max log size = 50
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

#client ldap sasl wrapping = plain

local master = no
preferred master = no
netbios name = TEMPLATE
dos charset = CP437
unix charset = UTF-8
log level = 9
obey pam restrictions = yes

#directory name cache size = 0

#============================ Share Definitions
==============================

[vault]
comment = vault for personal files
path = /vault
read only = no
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SMB 4.6 Member Server Improper ACLs being set

Samba - General mailing list
On Wed, 27 Sep 2017 14:48:44 -0500
Ryan Goode via samba <[hidden email]> wrote:

> Hello,
>
> I recently upgraded from centos release 7.3 to 7.4 and samba 4.6.2 and
> noticed that when files/folders are added or manipulated from a
> windows PC via the share, extra ACLs get applied and i cannot figure
> out why. Nothing has changed configuration wise and i have tried all
> variations i can think of of different map settings, downgraded
> several releases of samba (4.4.4 failed to load due to some
> dependency issues).
>
> I spun up a templated centos VM to test and found the same issue as my
> physical server.
>
> im sharing /vault and heres the permission set of the folder:
> [root@template vault]# getfacl .
> # file: .
> # owner: root
> # group: root
> user::rwx
> group::rwx
> group:user_perm_storage_admin:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:user_perm_storage_admin:rwx
> default:mask::rwx
> default:other::---
>
> if i map a share from a windows or linux machine back to this via
> samba and create a folder/file, it looks like this:
>
> [root@template vault]# getfacl test/
> # file: test/
> # owner: ryan.goode
> # group: domain\040users
> user::rwx
> user:10513:rwx

This is strange, it looks like Domain Users is being treated as a user.

> user:14608:rwx
> group::rwx
> group:domain\040users:rwx
> group:ryan.goode:rwx

Why is there a group named after a user ?

> group:user_perm_storage_admin:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:ryan.goode:rwx

And here is the user.

> default:user:14608:rwx
> default:group::rwx
> default:group:domain\040users:rwx
> default:group:user_perm_storage_admin:rwx
> default:mask::rwx
> default:other::---
>
> The ACLs im refering to as being erroneous are:
> user:10513:rwx
> user:14608:rwx
> default:user:14608:rwx
>
> These correspond to groups in AD as seen here:
>
> [root@template vault]# getent group | grep 14608
> user_perm_storage_admin:x:14608:
> [root@template vault]# getent group | grep 10513
> domain users:x:10513:

Have you tried 'getent passwd | grep 10513' ?

>
> This wasnt happening when i originally setup these ACLs on my storage
> server and im trying to prevent this from happening further before it
> hoses my permission set.
>
> Im at a loss for what to do next and google has yielded no useful
> information that i can find.
>
> Any thoughts?
> - - - -
> smb.conf:
> #--authconfig--start-line--
>
> # Generated by authconfig on 2017/04/14 06:41:51
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
>    workgroup = AD
>    realm = AD.ALLGOODE.US
>    security = ads
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
>    winbind offline logon = true
>
> #--authconfig--end-line--
> server string = Samba Server Version %v
>
> idmap config * : backend = tdb
> idmap config * : range = 5000 - 9999
> idmap config AD : backend = rid
> idmap config AD : range = 10000-20000
>
> #winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind cache time = 7200
> winbind nested groups = yes
>
> ea support = yes

What filesystem are you using ?
If it is ext4, you shouldn't use the above line.

Can you post:
/etc/hostname
/etc/hosts
/etc/resolv.conf
/etc/krb5.conf
/etc/nsswitch.conf

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba