Samba Shares from NFS Source

samba
nfs
fileshares

#1

Hi,

i mounted a few NFS Shares into UCS and sharing it via SMB
Now the Permissions are looking great.
But my User Sina can still access the SMB Share, even I removed her from the group!
Please help with advice!


#2

Hey,

you did not restrict the access to the group “Tradecom-Office” in the Samba settings. On the other hand you did tell Samba to treat all valid accesses as coming from the group “Tradecom-Office”.

So what actually happens when a user who’s not a member of that group accesses the share is:

  1. Samba verifies the user’s login credentials (user name & password or Kerberos token).
  2. Samba checks if its valid users option is set. If so, it verifies that the user is either listed in valid users directly or if (s)he is a member of a group listed in valid users. In your case nothing’s set in valid users (the corresponding German option is “Gültige Benutzer oder Gruppen”). Therefore the access is allowed to continue.
  3. Next Samba looks at the force group setting (in German: “Erzwungene Gruppe”). If it is set, then that group name will be used when accessing the file system. In your case it is set, therefore “Tradecom-Office” will be the group used to access to files.
  4. Now Samba will access the file system. The Linux kernel sees an access by some user and the group “Tradecom-Office” (due to step 3) and verify that access against the file permissions and ACLs. As the permissions and ACLs state that the group “Tradecom-Office” has read & write access, the access is allowed.

What you probably want is to set valid users to @Tradecom-Office in order to restrict access to the share to members of that group. See man smb.conf for details.

BTW: None of this has anything to do with NFS. It applies to any type of shared directory, no matter what the underlying storage is.

Kind regards,
mosu


#3

Hi @cpzengel,

are you very sure with your configuration of forced permissions, I’ve seldom seen an environment where this was finally intended.


#4

I just want to filter by group, but anybody can access the folder. Same config with non nfs seems to work


#5

cpzengel,

then the case is solved.


#6

no, i need it with nfs reshare to smb running, to have zfs features


#7

Hi cpzengel,
I realize you want to disallow a particular user or group from accessing a Samba share, you have to enter this user or group in the “invalid users or group” place holder. In your case it is in the “Nicht erlaubt Benutzer oder Gruppen”. Entries here override every order configuration.

  • The Samba manual mentions that re-exporting a NFS mountpoint over Samba does not work correctly. NFS is not 100% POSIX compatible, so some things work differently than what Samba expects. I.e. you should run Samba on the same server where you run the NFS service, exporting the local disks directly."

  • Also the entries under Forced Data (Erzwinge Sicherheitsmodus) might also be a problem.

My regards
Anna Takang


#8

Are there any other sources than the seven years old thread from Serverfault for this statement?


#9

Thanks for Feedback.
The Denial is not necessary
User Sina can Access the Share even she left the Group.
We dont want to use ACL, just Linux Permission (Mapped Groups)

Reshare is necessary to run on ZFS, SMB Share from ZFS Host is possible, but not with UCS Users!


#10

After I removed the “Forced Data” the Permission after logon with Sina on a Mac are looking that way

The Problem is that Sina is not longer Member of Tradecom-Office Group


#11

A lot of experience in debugging those issues. :slight_smile:

https://lists.samba.org/archive/samba/2012-August/168994.html → it is already a few years old but AFAIK it is still valid.


#12

Real world experience is always accepted. :slight_smile:
The interesting part in the thread you linked is that also JRA didnt answer the question regarding the official source/manual for the statement quoted. But he might have experience as well.
I just wanted to point out that it should be avoided to quote someone elses unproven statements without some verification. Which is what we expect from journalists for example.


#13

Hey,

As I’ve written earlier, if you only want members of the group Tradecom-Office to have access to that share, you have to set the valid users option (Gültige Benutzer oder Gruppen in German) to @Tradecom-Office. Leaving that field empty as it was in the screenshot you posted will allow anyone to connect to that share.

Using force group (Erzwungene Gruppe in German) only tells Samba which group to use to access the files — it has no bearing on the decision whether or not someone may connect to the share.

About exporting NFS-mounted shares over Samba: you’re saying that you don’t want to use ACLs. That’s fine. That combination should work. Just be aware: while NFS supports Linux ACLs (Posix ACLs), it doesn’t support Extended Attributes. Why is that a problem? Because Samba stores Windows ACLs that cannot be mapped to Linux ACLs directly as an Extended Attribute named security.NTACL. Meaning you will likely not be able to manage ACLs via e.g. Windows Explorer properly.

Kind regards,
mosu