Samba share ACL for letting everybody from a group read and write

[troudee]

Hello everybody!

I am having this strange-looking "?" floating above my head that only true misunderstanding of Samba permissions can produce – maybe you can help me changing it to "!"?

On my TrueNAS Core, I have an SMB share I want to give access to a group of users in order to let them share files.

The users are smb_one, smb_two and so on (currently just testing, as you might imagine).
They are all members in the auxiliary smb_users group (GID=Auto, Sudo=No, SambaAuth=Yes).
The users all have SambaAuth=Yes.

The Share has the following filesystem ACL:
Owner: root/wheel

owner@ - Allow - Basic - Full Control - Basic Flags - Inherit
group@ - Allow - Basic - Full Control - Basic Flags - Inherit
Group smb_users - Allow - Advanced - {Read Data, Write Data, Append Data, Read Named Attributes, Execute, Delete Children, Read Attributes, Write Attributes, Read ACL} - Basic Flags - Inherit

The intention of that ACL is: Everybody from the smb_users group shall be able to read and write at the share, but may not start messing around whith ACLs.

But something seems to be wrong with it – when smb_one creates a file (or directory), smb_two can read the file and the directory and he/she can delete both – but he/she cannot modify the file!

When I go to the shell and do getfacl my_file.txt, I get this:

Code:

# file: my_file.txt
# owner: smb_one
# group: wheel
owner@:rwxpDdaARWcCos:------I:allow
group@:rwxpDdaARWcCos:------I:allow
group:smb_users:rwxpD-aAR-c---:------I:allow
everyone:--------------:------I:allow

What am I obviously doing wrong?

 

[troudee]

Since the thread "When are SMB permissions going to be fixed" exists -- do you think I am doing something wrong here, or is that behaviour a bug as well?

 

[anodos]

What is the output of id smb_one, id smb_two, and getent group smb_users? Might be this issue: https://github.com/freenas/ports/co...7933ca4698bf68c31ee724fa1be717b8a7ec2844ea28d

 

[anodos]

One way to test would be to use `builtin_users` (already exists on the system) instead of `smb_users`

 

[troudee]

What is the output of id smb_one, id smb_two, and getent group smb_users? Might be this issue: https://github.com/freenas/ports/co...7933ca4698bf68c31ee724fa1be717b8a7ec2844ea28d

Code:

# id smb_one
uid=1000(smb_one) gid=1001(smb_one) groups=1001(smb_one),545(builtin_users),1000(smb-users)

# id smb_two
uid=1001(smb_two) gid=1002(smb_two) groups=1002(smb_two),545(builtin_users),1000(smb-users)

# getent group smb-users
smb-users:*:1000:smb_one,smb_two,smb_three,smb_four

One way to test would be to use `builtin_users` (already exists on the system) instead of `smb_users`

You mean I should set the ACL entry to `builtin_users`?

 

[anodos]

Code:

# id smb_one
uid=1000(smb_one) gid=1001(smb_one) groups=1001(smb_one),545(builtin_users),1000(smb-users)

# id smb_two
uid=1001(smb_two) gid=1002(smb_two) groups=1002(smb_two),545(builtin_users),1000(smb-users)

# getent group smb-users
smb-users:*:1000:smb_one,smb_two,smb_three,smb_four

You mean I should set the ACL entry to `builtin_users`?

Yes.

 

[troudee]

Yes.

No change, unfortunately. :(

 

[troudee]

Yes.

No change, unfortunately. :(

So, would you think it is a bug or am I doing/understanding anything wrong?

 

[anodos]

Please send me a s debug (System->Advanced->Save Debug) through private message.

 

[troudee]

Please send me a s debug (System->Advanced->Save Debug) through private message.

Oh, that would be great!!

..."Start Conversation" is a private message, right? It's still a demo installation, but I wouldn't like posting it to your public profile page

 

[troudee]

Please send me a s debug (System->Advanced->Save Debug) through private message.

With the help from anodos, I've now come up with another setup:

The users still are smb_one, smb_two and so on (currently just testing, as you might imagine).
They still are all members in the auxiliary smb_users group (GID=Auto, Sudo=No, SambaAuth=Yes).
The users all have SambaAuth=Yes.

The ACL is new:

User: root
Group: wheel

ACE
Who: owner@
ACL Type: Allow
Permissions Type: Basic
Permissions: Modify
Flags Type: Basic
Flags: Inherit

ACE
Who: Group
Group: smb_users
ACL Type: Allow
Permissions Type: Basic
Permissions: Modify
Flags Type: Basic
Flags: Inherit

I now logged in via SMB (smb_one) and let Winword save a file... The other SMB user could not even see that file now! I then checked with Windows Explorer from smb_one, and it was allowed to read and change the ACLs of the file and initially set them to "only I am allowed to do anything with it".

That's not how I want it -- is there any way to tell Samba to let all files inherit the ACLs (and maybe owners) of the directory they are just being put into? And prevent the SMB users from messing around with the ACLs?

 

[troudee]

Or, maybe not inherit but force? I've stumbled upon that word as well, but could not find anything about it. :-/

 

[troudee]

I think I've found the solution – please, if you know anything about it and see a major mistake here, scream immediately and let me know!

When declaring the SMB share, I can specify "Auxiliary Parameters". Here, I just specify

Code:

inherit acls = yes
inherit owner = windows and unix

The share belongs to root:wheel and this way, when an SMB client from the smb_users group creates a file in the share, it automatically belongs to root:wheel again and the client is not allowed to change the ACLs.

Maybe I just add another user "smb_master" that owns all the shares so that the users are not seeing that root everywhere, but that would just be cosmetics.