Windows file server page

As the smb.conf man page recalls…

In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file.

Even if Samba can emulate the “multi-owner” feature of Windows, our NethServer inherited the Posix ACL way and we cannot change it now. So in NS only root or the file owner can change the file permissions. With admin users option, root privileges can be easily granted to members of “Domain Admins” (or any other user/group).

We could implement a new shared folder profile flavor with Windows ACL in the future though.

What could happen in NethServer is:

The Domain Admins log on Server Manager, enable the special permissions perform privileged operations, then disable special permissions.

Is it acceptable?

1 Like

It’s deffinately workable, yes.

What is preventing us from mounting the filesystem with extended atrributes, and enabling Windows ACL’s ? SAMBA4 supports it out of the box, the needed modules are already loaded and afaik the only thing missing in the chain is the filesystem being mounted the correct way for this to work ? (On my ToTest list … )

If we implement permissions at the Windows/Samba ACL level we actually implement a permissions layer over the filesystem that is visible only to SMB clients. In other words if an user access to files with SCP or NFS the Windows ACLs are not enforced.

A similar situation happens with Dovecot. IMAP ACLs are implemented by the IMAP server. Everything under /var/lib/nethserver/vmail is owned by vmail user (dovecot). As long as everyone accesses mail through IMAP, ACLs are effective.

We can implement Windows ACL only if Samba is the only service that can access shared folders.

IIRC XFS (the default CentOS7 filesystem) has extended attributes enabled by default

1 Like

We’re all here to listen to each other. Good idea will be implemented eventually :slight_smile:

…make that: rather quickly

The prototype implementation can be installed with the following command: /cc @flatspin

 yum install http://packages.nethserver.org/nethserver/7.4.1708/autobuild/x86_64/Packages/nethserver-samba-2.0.10-1.5.pr23.g3267e60.ns7.noarch.rpm
1 Like

The netbios name can be set and works correctly. Host is shown in windows network neighborhood.

Control and privileges not shown. Not yet implemented?

Installation: NS7 with LADP and file server.

1 Like

As in the shared folders interface, those controls are not available with LDAP accounts provider. Do you think we should display a note?

o.k. with AD it works.

Just for my personal knowledge: why doesn’t the control feature work with LDAP?

Yes, and a short explanation in the inline help.

Another suggestion: This is strongly connected to the shared folders. What about adding this as a tab to the shared folder section?

Yes, I’d add to Shared Folders page

  • a “Configure” button that points to the Windows file server page
  • the warning message if accounts provider is LDAP

3 Likes

And here is my explanation: I didn’t think about the restriction of guest access only with LDAP. :joy:
Thank you Davide.

2 Likes

Christmas is early this year :blush:

2 Likes

Excellent work, I think we will ease sysadmin life!

1 Like

nethserver-samba is available from nethserver-testing repo /cc @quality_team

yum --enablerepo=nethserver-testing update nethserver-samba

I recall Samba has been declared as QA hot point during the NethServer Conference, please test it thoroughly!

The test case is quite long and some cases require a Windows workstation to check ACLs works correctly.

Please refer to the GitHub issue for detailed instructions: https://github.com/NethServer/dev/issues/5404#issuecomment-353636728

3 Likes

Test case 1.0 account provider AD:

libwbclient auto o.k.

Test case 1.1

create ibay o.k.
login user o.k. from non-member win-workstation
create directory and upload file o.k.
change ACL from win-worksation: access denied

Can’t verify kerberos auth at the moment.

test case 1.2

granted full controll => win-client can change ACL:


change ACL is o.k.

test case 1.3
login with “admin” => change ACL on all content o.k.

test case 1.4
login with testuser 1 => create content o.k.
login with “admin” => access denied to home folder testuser
granted full controll to home directories => access still denied! test failed

Test case 2.0 account provider LDAP:

alternatives --list
libnssckbi.so.x86_64    auto    /usr/lib64/pkcs11/p11-kit-trust.so
cifs-idmap-plugin       auto    /usr/lib64/cifs-utils/cifs_idmap_sss.so
ld      auto    /usr/bin/ld.bfd
mta     auto    /usr/sbin/sendmail.postfix
libwbclient.so.0.13-64  auto    /usr/lib64/sssd/modules/libwbclient.so.0.13.0

libwbclient auto o.k.

Warning shown for LDAP.

change workgroup o.k. (disappeared and reappeared, change “workgroup = xxxx” in smb.conf o.k.)

edit / change / creat content on shared folder o.k.

I’ll do other tests later.

so long.

4 Likes

Did you connect to the hidden share //server/home$, or directly to //server/testuser1 ? The latter is not expected to work.

Yes, it was the second one. So it’s o.k…
I can’t do further testing the next days. So if I’m the only one atm, please be a little patience.

1 Like

You’re not alone, someone from the dev team will jump in for speed up the testing :wink:

3 Likes

Released in nethserver-samba-4.0.0

https://github.com/NethServer/dev/issues/5404

1 Like

NethServer 7.5 is next to be released.

Do you remember the “When a new file or directory is created in a shared folder…” feature? I’m going to change the default value for new installations:

:heavy_multiplication_x: Disable “Grant full control to the owner of the parent directory”
:heavy_check_mark: Enable “Grant full control to the creator”

This is a screenshot preview:

The “Grant full control to the creator” option is more flexible because it enables the object creator to change the permissions on it, while still granting enough rights to the object owning group.

What do you think? Do you see any side effect?

2 Likes