Access Based Share Enumeration ACL setup

[gegtor]

I'm trying to hide samba shares from users who don't have access to them

I found access based share enum = yes option on the internet and sure enough, FreeNAS has such option exposed to the GUI in share configuration

After setting it on users still see shares they don't have real access to

I presume it comes from incorrect ACL config

I tried deleting everyone@ ACL entry but I get Error: [EINVAL] At least one inheritable ACL entry is required

ACLs are a new concept to me because I'm used to just simple group bases access

What would be the correct ACL setting to limit users ability to see shares?

My current ACL setup if needed

 

[anodos]

It looks at the share ACL rather than the filesystem ACL. This can be modified through either the Computer Management MMC on a windows client, the "sharesec" CLI tool, or using the FreeNAS API "smb.sharesec". In 12.0 it will be exposed in the GUI.

 

[Graydens]

Hi

Were you able to fix that, I have the same problem with windows exporer. If i connect via ftp (Filezilla) it works like it should

Please let me know.

regards

 

[gegtor]

Hi

Were you able to fix that, I have the same problem with windows exporer. If i connect via ftp (Filezilla) it works like it should

Please let me know.

regards

Hi

Yes I was successful and it works just fine

I followed the advice from @seanm

1) add "access based share enum=yes" as an aux parameter on the FooBar share.
2) from the shell, use 'net usersidlist' or 'net groupmap list' to determine the SID of a local FreeNAS user or group ex: S-1-5-21-7567469271-2383756280-2683756379-1001
- add a 'share permission' for the SID (remember this sets maximum permissions) and remove the default one:

sharesec Test -a S-1-5-21-7567469271-2383756280-2683756379-1001:ALLOWED/0/FULL
sharesec Test -r S-1-1-0:ALLOWED/0x0/FULL

3) stop/start samba

Follow those steps for every share and it will work :)

 

[anodos]

Hi

Yes I was successful and it works just fine

I followed the advice from @seanm


Follow those steps for every share and it will work :)

TrueNAS 12.0 adds GUI support for modifying these ACLs as well.

 

[gegtor]

TrueNAS 12.0 adds GUI support for modifying these ACLs as well.

I know but 12.0 is in beta

 

[anodos]

I know but 12.0 is in beta

Yeah, I just realized that this is the second time I replied to this thread. Just trying to provide information about upcoming features.

 

[Phil1295]

Yeah, I just realized that this is the second time I replied to this thread. Just trying to provide information about upcoming features.

Hi,

I tried this setting in the most recent 12.x release.
By enabling this option in the Share GUI check box, or by adding

Code:

access based share enum = yes

either in Share, SMB service or both auxiliary params, the shares are still visible to users without read permission

I always manage ACLs through TrueNAS GUI rather than MMC snapins. Is there a way to properly make it work from TrueNAS side in 12.0 ?

Thank you a lot

 

[anodos]

Hi,

I tried this setting in the most recent 12.x release.
By enabling this option in the Share GUI check box, or by adding

Code:

access based share enum = yes

either in Share, SMB service or both auxiliary params, the shares are still visible to users without read permission

I always manage ACLs through TrueNAS GUI rather than MMC snapins. Is there a way to properly make it work from TrueNAS side in 12.0 ?

Thank you a lot

You have to configure the share ACL (not filesystem ACL). Clients may also cache net share enum responses. You can use `smbclient` locally on the NAS to determine share listing for a given user.

 

[Phil1295]

You have to configure the share ACL (not filesystem ACL). Clients may also cache net share enum responses. You can use `smbclient` locally on the NAS to determine share listing for a given user.

I see, in fact Share ACL is set to allow any by default
However, even when listing shares from an Android device for example, the share is listed despite user not having read permissions. Will the windows SID apply here ? I doubt.

Also, will the share ACL take precedence over the File System ACLs for windows ? That is, they must both match with same configured groups to allow / deny ?

 

[Phil1295]

@anodos
I also noticed another issue, not sure if it is related to TrueNAS only:
Under a Windows machine, if two users login under the same machine, they will each see the home share of their own + the one from the other user listed AND ACCESSIBLE
However, when user1 accesses user2 home share, it will see his own files (user1) listed. Same when user2 accesses user1 home share, he actually see his own files

This is really a wired issue.
Can you also clarify please the above question about access based share enum ?

Thank you

 

[anodos]

This is expected behavior from legacy samba [homes] shares. They actually present every user home directory (even though they won't be visible in `net share enum` responses), but the share path ends with %U which expands to the current authenticated user.

 

[Phil1295]

Thank you for your help
I took time to test and all is working perfectly, even from an android device in fact, which is logical because the permissions are set in TrueNAS

Here are the steps from the GUI for people looking at it:

1. when creating the share (or edit for existing shares), check "Advanced Options / Access Based Share Enumeration"
2. properly set the share access permissions under Share option "Edit Filesystem ACL" at your liking
3. now, this is the most important part, use the Share option "Edit Share ACL"
4. edit the first default entry (you cannot delete it in GUI, only edit it) by either:
   • entering the SID of the group or user allowed to access/list the share
   • or specifying the group/user name and the Domain name: the SMB service must be enabled in this case so that TrueNAS can query the proper SID, else you will get an error
5. Set the permissions to what you want for the user/group: FULL, READ, CHANGE
6. Set the Type to ALLOWED to allow that group/user or DENIED to specifically deny it
7. Repeat steps 4 to 6 for any other group you want to add
8. restart the SMB service for the changes to take effect and to reflect on currently connected clients

You can optionally get the SID of each user/group when on a domain, by using the below commands in shell:

Code:

# query users SIDs
net usersidlist

# query groups SIDs
net groupmap list

@anodos :
Can you confirm the above steps and that setting the ALLOWED groups is enough (the default will be DENIED for any other non specified user/group) ?
Seems logical to me and that's what I verified in my tests

 

[anodos]

Thank you for your help
I took time to test and all is working perfectly, even from an android device in fact, which is logical because the permissions are set in TrueNAS

Here are the steps from the GUI for people looking at it:

1. when creating the share (or edit for existing shares), check "Advanced Options / Access Based Share Enumeration"
2. properly set the share access permissions under Share option "Edit Filesystem ACL" at your liking
3. now, this is the most important part, use the Share option "Edit Share ACL"
4. edit the first default entry (you cannot delete it in GUI, only edit it) by either:
   • entering the SID of the group or user allowed to access/list the share
   • or specifying the group/user name and the Domain name: the SMB service must be enabled in this case so that TrueNAS can query the proper SID, else you will get an error
5. Set the permissions to what you want for the user/group: FULL, READ, CHANGE
6. Set the Type to ALLOWED to allow that group/user or DENIED to specifically deny it
7. Repeat steps 4 to 6 for any other group you want to add
8. restart the SMB service for the changes to take effect and to reflect on currently connected clients

You can optionally get the SID of each user/group when on a domain, by using the below commands in shell:

Code:

# query users SIDs
net usersidlist

# query groups SIDs
net groupmap list

@anodos :
Can you confirm the above steps and that setting the ALLOWED groups is enough (the default will be DENIED for any other non specified user/group) ?
Seems logical to me and that's what I verified in my tests

ALLOWED is enough. Just make sure to remove the default "everyone" entry.

 

[Phil1295]

ALLOWED is enough. Just make sure to remove the default "everyone" entry.

@anodos

I recently changed the server hostname from FREENAS to TRUENAS and fixed the credentials in windows/android devices
However, the Access Based Share Enumeration is now broken.

The problem is that the TrueNAS server did not populate the SIDs with the new hostname domain.
Below is a screenshot from permissions/owner in Windows 10 Enterprise:

As you can see, the Owner is still showing FREENAS while the dataset name properly shows TRUENAS
I applied in TrueNAS the owner/group from GUI on that dataset, but it still doesn't fix it

Also, the command "net usersidlist" still lists users and SIDs under the old hostname FREENAS:

Code:

root@truenas:~ # net usersidlist

FREENAS\user
 S-1-5-xxxxxxxxxxxxxxxxxx
 S-xxxx
 S-xxxx
 S-xxxx

Also, the command "net groupmap list" now only shows the built in users and can no longer list the other existing groups I defined !

If I try to add the new SIDs in the GUI, TrueNAS won't accept the domains Truenas or Freenas saying it cannot find them

After more searching, I found that under "Services / SMB / NetBios Name", the old hostname was still there. I manually edited it, restarted the SMB service and now, on windows, the above picture is fixed and the Owner is properly showed under "TRUENAS" domain.

In TrueNAS, I can now apply the user Share ACL specifying a domain/username. However, I still cannot apply the group Share ACL rules for Access Based Enumeration. The groups also no longer show in Windows permissions manager, only the users

I also tried your tip in a previous post:

Code:

mv /var/db/system/samba4/group_mapping.tdb /var/db/system/samba4/group_mapping.tdb.bak
midclt call smb.synchronize_group_mappings
49

It outputs 49. I restarted the SMB service, but still I cannot apply the group SIDs in the GUI under Share ACL. I get the same error as previously:

Code:

CallError
[EFAULT] SID lookup for TRUENAS\smb_admin failed: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name TRUENAS\smb_admin

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 138, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1213, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/service.py", line 495, in update
    rv = await self.middleware._call(
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1213, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 975, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb_/sharesec.py", line 379, in do_update
    await self.setacl({"share_name": old_acl["share_name"], "share_acl": data["share_acl"]})
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb_/sharesec.py", line 201, in setacl
    ae_list.append(await self._ae_to_string(entry))
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/smb_/sharesec.py", line 162, in _ae_to_string
    raise CallError(f'SID lookup for {name} failed: {wbinfo.stderr.decode()}')
middlewared.service_exception.CallError: [EFAULT] SID lookup for TRUENAS\smb_admin failed: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name TRUENAS\smb_admin

Anyway to fix this issue ? I can no longer get the groups showing under windows as a side issue which makes any fix impossible. I even tried applying again teh permissions and owner/group from TrueNAS without any effect on above issues

Thank you for your help

 

[Phil1295]

I hopefully could fix it, for anybody looking for a fix, it was a silly change I made a few weeks ago without noticing that I lost the SMB Access Share Enumeration on that share.
My error: I removed "Samba Authentication" from the group since I prefer setting it on users specifically and not groups in this very special case.
So this is the only case where the group "Samba Authentication" permission is needed

Now everything is fixed

Side note:
Under "Services / SMB / NetBios Name", the help info displays:

Automatically populated with the original hostname of the system. This name is limited to 15 characters and cannot be the Workgroup name.

Should I file a bug because it is not automatically populated if we ever change the hostname or it doesn't cause any issue to have the hostname and SMB Netbios domain different ?

 

[Phil1295]

@anodos
A last question: can we assume the following:

1. Share ACL: only used to allow/restrict login (and optionally listing) of a share.
2. Filesystem ACL: only apply after the user login and manage file/directories access permissions
3. If a user is not allowed access under "Share ACL", he will not be able to login through SMB even if he has full rights under "Filesystem ACL"

At least, in all my tests this seems to apply
If it's the case, I can say that ACL settings work amazingly good in TrueNAS. Except having to manually do the commands to recreate the group_mapping.tdb file if we modify hostname or change groups because they are not automatically sync and sometimes in my tests, windows keeps the old SID with "Unknow name ?" unless that database file is recreated