Project

General

Profile

Feature #21872

Apply default permissions to SMB share ACLs

Added by an odos almost 2 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Expected
Assignee:
John Hixson
Category:
OS
Target version:
Estimated time:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

The goal of "apply default permissions" is to put permissions on a samba share to a sane, default state. It does this for filesystem ACLs, but not for share ACLs. By default, samba will fake up "Everyone Full Control" ACL for shares in the absence of entries in the share tdb file. So restoring this to a "default" state simply involves nuking the entire security descriptor for the share via

sharesec -D ShareName
This should be added to the song-and-dance routine for "apply default permissions" on a samba share.

Associated revisions

Revision 3558f9fd (diff)
Added by John Hixson over 1 year ago

Add share level ACL on create/reset

Ticket: #21872

Revision 2dcf1638 (diff)
Added by John Hixson over 1 year ago

Nuke share ACL on delete

Ticket: #21872

History

#1 Updated by an odos almost 2 years ago

Note that I have only performed minimal testing on this. (set a restrictive ACL on the share, then nuked the SD and verified that ACL reset to Everyone-Full Control). You may want to verify that this is indeed the case as the behavior only appears to be documented in the source for the sharesec utility (not in the manpage).

#2 Updated by an odos almost 2 years ago

A couple of small wrinkles associated with Share ACLs:
1) Trying to delete the SD on a share that lacks an entry in the share tdb file (i.e. one that someone hasn't mucked around with) results in an error message.

delete_share_security: Failed to delete entry for share <share name>: NT_STATUS_NOT_FOUND

2) Entries in share_info.tdb actually remain after the share has been deleted. If you configure an ACL on [users], delete [users], then create [users] again, the new [users] share will have the same ACL on it. This can lead to some confusion, and so it might be a good idea to have the UI nuke the ACL when a share is deleted.

This will help ease some counter-intuitive samba behavior for Windows sysadmins using FreeNAS in an AD environment (because they might be administering / configuring samba permissions via "computer management").

#3 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

  • Assignee set to John Hixson
  • Priority changed from No priority to Expected
  • Target version set to 9.10.3

Seems like an easy one. John, any concerns?

#4 Updated by John Hixson almost 2 years ago

  • Status changed from Unscreened to Screened

Kris Moore wrote:

Seems like an easy one. John, any concerns?

No concerns here. If I had known you could do this, it would have been done already ;-) I've recommended doing this via Windows for years now.

#5 Updated by John Hixson over 1 year ago

  • Status changed from Screened to Fix In Progress

#6 Updated by John Hixson over 1 year ago

  • Status changed from Fix In Progress to 15

I've done the work to implement this. odos, can you confirm this works the way you think it should work? I believe it is working as it should.

#7 Updated by John Hixson over 1 year ago

  • Target version changed from 9.10.3 to 9.10.4

I consider this working, punting to 9.10.4 until verified, then I will close it.

#8 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Target version changed from 9.10.4 to 11.1

#9 Updated by an odos over 1 year ago

John Hixson wrote:

I consider this working, punting to 9.10.4 until verified, then I will close it.

Sorry. Didn't notice the status was updated. Is this already in FN 11? If not, I can fire up a VM with 11 master installed and verify that it works properly.

#10 Updated by John Hixson over 1 year ago

an odos wrote:

John Hixson wrote:

I consider this working, punting to 9.10.4 until verified, then I will close it.

Sorry. Didn't notice the status was updated. Is this already in FN 11? If not, I can fire up a VM with 11 master installed and verify that it works properly.

Yes, this in 11.0-RC

#11 Updated by an odos over 1 year ago

John Hixson wrote:

an odos wrote:

John Hixson wrote:

I consider this working, punting to 9.10.4 until verified, then I will close it.

Sorry. Didn't notice the status was updated. Is this already in FN 11? If not, I can fire up a VM with 11 master installed and verify that it works properly.

Yes, this in 11.0-RC

Yep. Works. Created share, added ACL through sharesec. "Apply default permissions" nukes the ACL. Deleting the share nukes the ACL. Edge-case affecting 0.00000000001% of users is fixed. :-)

#12 Updated by John Hixson over 1 year ago

  • Status changed from 15 to Resolved

an odos wrote:

John Hixson wrote:

an odos wrote:

John Hixson wrote:

I consider this working, punting to 9.10.4 until verified, then I will close it.

Sorry. Didn't notice the status was updated. Is this already in FN 11? If not, I can fire up a VM with 11 master installed and verify that it works properly.

Yes, this in 11.0-RC

Yep. Works. Created share, added ACL through sharesec. "Apply default permissions" nukes the ACL. Deleting the share nukes the ACL. Edge-case affecting 0.00000000001% of users is fixed. :-)

Heheh. Thanks for confirming ;-) And hey, that 0.00000000001% matters to me ;-)

#13 Updated by Dru Lavigne over 1 year ago

  • Subject changed from When running "apply default permissions" to Samba Share, nuke any Share ACLs (nt-style) via "sharesec -D <share name>" to Apply default permissions to SMB share ACLs

#14 Updated by Dru Lavigne about 1 year ago

  • Target version changed from 11.1 to 11.1-BETA1

#15 Updated by Nick Wolff about 1 year ago

Test plan
  • Set a share ACL from command line:
    sharesec SHARE -a S-1-5-32-544:ALLOWED/0/FULL
  • Then try "apply default permissions".
  • Then type "sharesec --view-all" to verify

#16 Updated by Nick Wolff about 1 year ago

  • Needs QA changed from Yes to No
  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

Also available in: Atom PDF