0

Trying to use Samba extended ACL (https://wiki.samba.org/index.php/Shares_with_Windows_ACLs) based on AD permissions, but do not seem to be working / being applied for shares on our CentOS7 server when mounting those shares on Windows 10 machines. Ie. no restrictions seem to be applied.

Even if removing myself from the various AD groups/CNs listed in the Security tab of a samba share that ostensibly have extended ACL functionality applied to it (via the Computer Mgmt UI (per the docs)), I can still mount and view its contents when mounting the network drive via Windows File Explorer despite not being in any of the AD security groups allowed.

The /etc/samba/smb.conf settings relating to extended ACLs appear to be set up as required for extended ACL functionality as per the docs (and the similar question here)...

Larger smb.conf snippet (everything but the various shares):

[root@myserver ~]# cat /etc/samba/smb.conf
[global]

security = ads
#  password server = adcontrollerserver.myorg.local
#  dedicated keytab file = /etc/krb5.keytab
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 3

winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
# the next line is only required on Samba versions less than 4.9.0
#  store dos attributes = Yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = tdb
idmap config * : range = 10000000-10999999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-20000
idmap config MYDOMAIN : unix_nss_info = yes
#  idmap config MYDOMAIN : unix_primary_group = no
username map = /usr/local/samba/etc/user.map
winbind enum users = yes
winbind enum groups = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
kerberos method = system keytab
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
winbind offline logon = yes
.
.
.

(as per https://www.samba.org/samba/docs/current/man-html/idmap_ad.8.html)

Editing the Security AD ACLs for the shares in the Computer Mgmt UI does flow though back to the host machine. That is, when logging out and back into the server as the AD-linked user and running

[myaduser@myserver ~]# groups

I can see the groups change there and access is/is not restricted based on how the ACLs were configured (note this does not work if you, say, sign in as root and su myaduser (you need to authenticate each time)). Yet, even when this works on the samba server itself, it does seem to work when mounting the shares on my local laptop or other Windows desktops on the network.

Anyone know what could be going on here? Something I'm missing? Any more info that would be helpful?

1 Answers1

0

File ACL control access to files inside a share. They apply always, regardless of which share was used to access the file (you can set up shares so you can access same file via different path); if POSIX ACL mapping is uses as the VFS method these ACL will apply even for local users (i.e. even when accessing files without Samba).

Access to the share itself is controlled with valid users, invalid users, write list, admin users and similar per-share options in the smb.conf (or their Samba registry counterparts, see man smb.conf for details). This is another access setting, independent of file ACL. The user who is allowed in this setting is able to connect to a share (mount it, for instance), but not necessarily will be able to access files because of file ACL. This corresponds to the share security tab in Windows where you set who is allowed to connect to a share.

Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39
  • IC, interesting. But (under the conditions detailed in the post), I can still open and view the *files* in that share. That is, taking myself off of the AD groups listed in the share's Security tab in Computer Mgmt, and mounting the share, I can still open a text file in that share using Notepad. (Note that I do have AD/ACL permissions set for folders that, on that samba server itself, are hierarchal parents to that share (IDK if that matters)). – lampShadesDrifter Feb 24 '21 at 19:13
  • Dis you set up permissions from Windows file security dialog or via Samba commandline tools? – Nikita Kipriyanov Feb 25 '21 at 06:36
  • I set perms via the Security tab when clicking on the shares in the Computer Mgmt UI, but IDK person who originally set this up used any samba CLI to set up any perms. Way to check this? Even matter if they had set up something via CLI before I set perms in the Windows interface (ie. would the most restrictive perms not be used)? BTW, the docs say: "Extended access control lists (ACL) enable you to set permissions on **shares**, files, and directories using Windows ACLs and applications" but your post seems to indicate that the ACLs *only* apply for files. Am I misunderstanding something here? – lampShadesDrifter Feb 25 '21 at 20:12