Unsolved
This post is more than 5 years old
2 Posts
0
1744
July 16th, 2018 11:00
SAMBA server not respecting ACLs on OneFS
Hello guys,
I have created a mix environment for multiprotocol access on Isilon OneFS creating ACLs where from one side users access the information using Windows with AD credentials (SMB) and from the other side they use UNIX with LDAP credentials (NFS). This is how the ACLs are set on OneFS level:
dc2isi1-20# ls -led BHTC
drwxrwx--- + 3 root wheel 541 Jul 2 16:03 BHTC
OWNER: user:root
GROUP: group:wheel
CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected
0: group:HELLADE\prj.ep3-sim_daten_bhtc_rw allow dir_gen_all,object_inherit,container_inherit
1: group:sim_daten_BHTC_rw allow dir_gen_all,object_inherit,container_inherit
We have some users that does not belong to our domain and need access using Windows, but this is not working at all, so we have decided create a Samba server on Linux VM for authenticating with LDAP account from WIndows client. The server was working on an old environment without ACLs, but now that we have migrated to this environment is not, I presume the authentication is done but somehow is not seeing the real ACLs, instead Samba server is using the POSIX permissions for providing access.
This is the smb.cong file:
dc1tcs116:~ # cat /etc/samba/smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2016-12-15
[global]
workgroup = SIMULATION
netbios name = tcs71.hei.hella.com
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U
#logon home = \\%L\%U\.9xprofile
logon drive = V:
domain logons = No
preferred master = auto
local master = Yes
# passdb backend = ldapsam:ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com
passdb backend = ldapsam:"ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com"
ldap suffix = dc=SIM,dc=hella,dc=com
ldap admin dn = cn=Administrator,dc=SIM,dc=hella,dc=com
# ldap group suffix = ou=groups,dc=SIM,dc=hella,dc=com
ldap group suffix = ou=groups
# ldap user suffix = ou=people,dc=SIM,dc=hella,dc=com
ldap user suffix = ou=people
# ldap machine suffix = ou=machines,dc=SIM,dc=hella,dc=com
ldap machine suffix = ou=machines
ldap idmap suffix = ou=Idmap
ldap ssl = no
ldapsam:editposix = yes
## idmap backend = ldap:"ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com"
idmap backend = ldap:"ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com"
follow symlinks = yes
wide links = yes
unix extensions = no
#acl check permissions = no
#log level = 10
#log level = 3 auth:10
#log level = 2 auth:10
[tcs_root]
path = /tcs_root
comment = Directory for Simulation and Validation
browsable = yes
public = yes
writeable = yes
inherit acls = yes
#create mask = 0770
#force create mode = 0770
#directory mask = 0770
#force directory mode = 0770
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
acl_xattr:ignore system acls = yes
acl_xattr:default acl style = everyone
acl check permissions = true
Can somebody please let me know if I'm missing something in here or lead me to the right way to do it? Thanks a lot in advance!
PPBejarano
2 Posts
0
July 17th, 2018 10:00
I understand what you're trying to do in here, but maybe I forgot to mention something...the 2 domains are trusted each other according to AD admins, I can double check on Isilon directly, here the output:
dc2isi1-16# isi auth ads trusts list
--------------------------------------------------------------------------------
Domain: bhtcgroup.de
NetBIOS Name: BHTCGROUP
SID: S-1-5-21-1645522239-507921405-1957994488
GUID: 00000000-0000-0000-0000-000000000000
Trust Type: 2-way
Status: online
DC Site: bhtc1
Client Site: bhtc1
DC Name: desbhtcdc05.bhtcgroup.de
DC Address: 10.28.8.254
--------------------------------------------------------------------------------
Could it be that security groups are not configured as they should be on AD? The AD groups are created on first forest and added into same AD to user from other forest...maybe the universal groups from first forest need to be added directly on second forest?
crklosterman
450 Posts
0
July 17th, 2018 10:00
First, putting a SAMBA server in front of an Isilon cluster, and connecting back with NFS to a directory that doesn't have real POSIX permissions, only synthetic POSIX permissions generated based upon a real ACL (what the + sign means next to your RWXRWX--- + output above), is never going to be very reliable or get your desired result. I would suggest instead that you create another access zone on the Isilon cluster, but leave the base root path at /ifs (overlapping or duplicate access zone base root paths aren't generally a good idea, but in your case you have 2 different non-trusted AD forests that need access to the same data. So now in your new access zone, join it to the other domain, and then add appropriate ACEs to the ACLs of the target data for the users on the other side to have access.
~Chris
crklosterman
450 Posts
0
July 23rd, 2018 14:00
Put security groups from domain2 and domain1 in the SMB Share ACL and the NTFS ACL and you should be fine. The only other issue that I've seen with this sort of thing is if you have RFC2307 aka Services for Unix enabled in one of those domains, but not in the other.
One way to test, is to use 'isi auth mapping token domain2\\username' for some user that should have access. Open a support ticket if you need a hand troubleshooting.