CIFS permission issue with nested AD domain local groups

[Henning Kessler]

Hello,

I am currently running a test system on quite old hardware.

Code:

FreeNAS-9.3-STABLE-201511040813
RX 330S1
2x Quad-Core AMD Opteron(tm) Processor 2352
12GB ECC RAM

The system is successfull integrated into the a Active Directory domain (DOM).

When I setup a CIFS share on a for this purpose created dataset with Windows permissions, the group write access fails for users or groups that are members a domain local security group in AD. When I change only the group type to a global domain group in AD the same setup works.

here are some more infos

not working setup for group write access (domain local group type):

Code:

[root@freenas] getfacl /mnt/ext02rz1/domainglocal
# file: domainlocal
# owner: DOM\admin
# group: DOM\domainlocalgroup
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow

working setup for group write access (domain global group type):

Code:

[root@freenas] getfacl /mnt/ext02rz1/domainglobal
# file: domainglobal
# owner: DOM\admin
# group: DOM\domainglobalgroup
            owner@:rwxpDdaARWcCos:fd----:allow
            group@:rwxpDdaARWcCos:fd----:allow
         everyone@:r-x---a-R-c---:fd----:allow

smb4.conf:

Code:

[global]
    server max protocol = SMB2
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 353099
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    netbios name = NAS01
    workgroup = DOM
    realm = DOM.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config DOM: backend = rid
    idmap config DOM: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
   

[domainglobal]
    path = /mnt/ext02rz1/domainglobal
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
   

[domainlocal]
    path = /mnt/ext02rz1/domainlocal
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare

Why the group typ make a difference?

 

[Henning Kessler]

Update:

Problem is gone after I unbound, restarted and rebound the system to AD.

Sorry for bothering you all with this.

Henning

 

[Henning Kessler]

Update 2.0:

unfortunately I was to fast with the assumption that my problem has been solved by rebinding and rebooting ;-).

Instead the problem has reappeared and i can reproduce the issues with another (virtual) installation of freeNAS bound to the same AD domain. In addition the problem seams to be Kerberos related.

In case that the groups permissions of the share are set to a local domain security group in which the user containing group (global security group) is nested and accessed by a bound client using the string smb://FQDN the client is granted two kerberos tickets (krbtgt/DOM@DOM & cifs/FQDN@DOM) upon successful authentication but ONLY read access is possible instead of full access.

Doing a kdestroy and accessing the server with smb://IP from the same client no tickets are granted BUT now read and write access is possible.

If I now change the group permissions on that share to a global security group in which like above the user containing group (again global security group) is nested and wether I access it with smb://FQDN or smb://IP ALWAYS read and write access is granted to group members on successful authentication.

Has someone an idea why this is happening?

henning