SAMBA server not respecting ACLs on OneFS

Question

Hello guys,      I have created a mix environment for multiprotocol access on Isilon OneFS creating ACLs where from one side users access the information using Windows with AD credentials (SMB) and from the other side they use UNIX with LDAP credentials (NFS). This is how the ACLs are set on OneFS level: dc2isi1-20# ls -led BHTC drwxrwx--- +  3 root  wheel  541 Jul  2 16:03 BHTC OWNER: user:root GROUP: group:wheel CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected 0: group:HELLADE\prj.ep3-sim_daten_bhtc_rw allow dir_gen_all,object_inherit,container_inherit 1: group:sim_daten_BHTC_rw allow dir_gen_all,object_inherit,container_inherit We have some users that does not belong to our domain and need access using Windows, but this is not working at all, so we have decided create a Samba server on Linux VM for authenticating with LDAP account from WIndows client. The server was working on an old environment without ACLs, but now that we have migrated to this environment is not, I presume the authentication is done but somehow is not seeing the real ACLs, instead Samba server is using the POSIX permissions for providing access. This is the smb.cong file: dc1tcs116:~ # cat /etc/samba/smb.conf # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2016-12-15 [global]    workgroup = SIMULATION    netbios name = tcs71.hei.hella.com    logon path = \%L\profiles\.msprofile    logon home = \%L\%U    #logon home = \%L\%U\.9xprofile    logon drive = V:    domain logons = No    preferred master = auto    local master = Yes    # passdb backend = ldapsam:ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com    passdb backend = ldapsam:'ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com'    ldap suffix = dc=SIM,dc=hella,dc=com    ldap admin dn = cn=Administrator,dc=SIM,dc=hella,dc=com    # ldap group suffix = ou=groups,dc=SIM,dc=hella,dc=com    ldap group suffix = ou=groups    # ldap user suffix = ou=people,dc=SIM,dc=hella,dc=com    ldap user suffix = ou=people    # ldap machine suffix = ou=machines,dc=SIM,dc=hella,dc=com    ldap machine suffix = ou=machines    ldap idmap suffix = ou=Idmap    ldap ssl = no    ldapsam:editposix = yes    ## idmap backend = ldap:'ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com'    idmap backend = ldap:'ldap://dc1ldap05v.dc.hella.com ldap://dc2ldap06v.dc.hella.com'    follow symlinks = yes    wide links = yes    unix extensions = no    #acl check permissions = no       #log level = 10    #log level = 3 auth:10    #log level = 2 auth:10 [tcs_root]    path = /tcs_root    comment = Directory for Simulation and Validation    browsable = yes    public = yes    writeable = yes    inherit acls = yes    #create mask = 0770    #force create mode = 0770    #directory mask = 0770    #force directory mode = 0770    vfs objects = acl_xattr    map acl inherit = yes    store dos attributes = yes    acl_xattr:ignore system acls = yes    acl_xattr:default acl style = everyone    acl check permissions = true Can somebody please let me know if I'm missing something in here or lead me to the right way to do it? Thanks a lot in advance!

PPBejarano · Answer

I understand what you're trying to do in here, but maybe I forgot to mention something...the 2 domains are trusted each other according to AD admins, I can double check on Isilon directly, here the output:

dc2isi1-16# isi auth ads trusts list

--------------------------------------------------------------------------------

Domain: bhtcgroup.de

NetBIOS Name: BHTCGROUP

SID: S-1-5-21-1645522239-507921405-1957994488

GUID: 00000000-0000-0000-0000-000000000000

Trust Type: 2-way

Status: online

DC Site: bhtc1

Client Site: bhtc1

DC Name: desbhtcdc05.bhtcgroup.de

DC Address: 10.28.8.254

--------------------------------------------------------------------------------

Could it be that security groups are not configured as they should be on AD? The AD groups are created on first forest and added into same AD to user from other forest...maybe the universal groups from first forest need to be added directly on second forest?

crklosterman · Answer

First, putting a SAMBA server in front of an Isilon cluster, and connecting back with NFS to a directory that doesn't have real POSIX permissions, only synthetic POSIX permissions generated based upon a real ACL (what the + sign means next to your RWXRWX--- + output above), is never going to be very reliable or get your desired result. I would suggest instead that you create another access zone on the Isilon cluster, but leave the base root path at /ifs (overlapping or duplicate access zone base root paths aren't generally a good idea, but in your case you have 2 different non-trusted AD forests that need access to the same data. So now in your new access zone, join it to the other domain, and then add appropriate ACEs to the ACLs of the target data for the users on the other side to have access.

~Chris

crklosterman · Answer

Put security groups from domain2 and domain1 in the SMB Share ACL and the NTFS ACL and you should be fine. The only other issue that I've seen with this sort of thing is if you have RFC2307 aka Services for Unix enabled in one of those domains, but not in the other.

One way to test, is to use 'isi auth mapping token domain2\\username' for some user that should have access. Open a support ticket if you need a hand troubleshooting.

Isilon

Was this post helpful?