How to set ACL's for SMB users and Apache in AD context?

[Luke Jaeger]

I have a FreeNAS 9.3 box bound to AD serving Samba shares. Users (students) can log in using their AD credentials and mount their home directories. That works fine.

Inside each student user's home is a dir called "publish". Whatever the student puts in there will be world-readable on the web. This happens by way of an Apache server running inside a jail on the same FreeNAS box. The jail mounts the Samba home share as read-only storage; "www" group has r-x permissions to ~somestudent and ~somestudent/publish; and that all works too (via a script that runs several times a day).

All of the above can be accomplished with straight POSIX permissions. But faculty need read access to student homes as well. If I add o+rx to the permissions, then students will be able to see one another's work, and that won't fly!

I tried adding an ACL for "www" but it didn't work:
setfacl -m g:www:rx::allow ~somestudent/publish
Did I do that wrong? I'm a little fuzzy on setfacl.

A possible added complication is that 'faculty' and 'students' are AD groups, but 'www' is local.

How can I set up ACL's such that:

• somestudent has rwx permissions to their entire home directory
• www has r-x permissions _only_ to root level of ~somestudent, plus entire contents of ~somestudent/publish
• faculty AD group has r-x permissions to entire contents of ~somestudent
• students can NOT see into one another's home directories

 

[anodos]

I have a FreeNAS 9.3 box bound to AD serving Samba shares. Users (students) can log in using their AD credentials and mount their home directories. That works fine.

Inside each student user's home is a dir called "publish". Whatever the student puts in there will be world-readable on the web. This happens by way of an Apache server running inside a jail on the same FreeNAS box. The jail mounts the Samba home share as read-only storage; "www" group has read & execute permissions to ~somestudent and ~somestudent/publish; and that all works too (via a script that runs several times a day).

All of the above can be accomplished with straight POSIX permissions. But faculty need read access to student homes as well. If I add o+rx to the permissions, then students will be able to see one another's work, and that won't fly!

I tried adding an ACL for "www" but it didn't work:
setfacl -m g:www:rx::allow ~somestudent/publish
Did I do that wrong? I'm a little fuzzy on setfacl.

A possible added complication is that 'faculty' and 'students' are AD groups, but 'www' is local.

How can I set up ACL's such that:

• somestudent has rwx permissions to their entire home directory
• www has r-x permissions _only_ to root level of ~somestudent, plus entire contents of ~somestudent/publish
• faculty AD group has r-x permissions to entire contents of ~somestudent
• students can NOT see into one another's home directories

I don't mess with acls much from the CLI, but I believe the syntax you want is more like "setfacl -m g:www:read_set:allow <path>".
It's a bit hard to for me to visualize what you're trying to accomplish do you mind posting the contents of /usr/local/etc/smb4.conf?

 

[Luke Jaeger]

I just need each user home to have permissions like these:
owner = rwx
faculty = r-x
www = r-x
world = none

I can't put www in the faculty group because the permissions need to be more granular than that, and anyway I can't put a local user in an AD group.

Students only have permissions to see their own home so when they connect to Samba, that's all they should see. But users are also going to be connecting by SSH (this is a server for a comp sci dept. in a college), so I need the permissions to be right ... can't just rely on Samba hiding stuff from view

 

[anodos]

I just need each user home to have permissions like these:
owner = rwx
faculty = r-x
www = r-x
world = none

I can't put www in the faculty group because the permissions need to be more granular than that, and anyway I can't put a local user in an AD group.

I believe the above setfacl command will work (setfacl -m g:www:read_set:allow <path>). Let me know if it doesn't.

Alternatively, you can script using smbcacls (assuming that you're not using the special [homes] shares), which takes care to make sure that the ACLs are set in a way that windows likes.
ex: "smbcacls //127.0.0.1/TestShare/ -U root --add ACL:www:ALLOWED/3/READ"

The above is the *nix CLI equivalent of setting permissions through Windows Explorer.

Please note that if your share structure is as follows:

\\freenas\Students\Bob\Publish,​

then "www" will need read access to:

Students
Students\Bob
Students\Bob\Publish​

One other caveat is that setfacl and (unpatched) smbcacls lack a recursive function.

 

[Luke Jaeger]

nope! it doesn't work. I've only gotten it to work by giving www explicit r-x access in the POSIX permissions, or by chmod o+rw which I don't want to do.

 

[Luke Jaeger]

wait a minute, I'm getting some contradictory results here .... let me test some more

 

[anodos]

wait a minute, I'm getting some contradictory results here .... let me test some more

Since you're talking about using "chmod", it sounds like you're doing this with "unix" permissions type for your samba share. This is okay if you're a home user, but I think you're inviting massive permissions headaches with what you're trying to do. There's a reason why ixsystems considers "Unix permissions type" + samba to be an unsupported configuration type.

 

[Luke Jaeger]

Since you're talking about using "chmod", it sounds like you're doing this with "unix" permissions type for your samba share. This is okay if you're a home user, but I think you're inviting massive permissions headaches with what you're trying to do. There's a reason why ixsystems considers "Unix permissions type" + samba to be an unsupported configuration type.

only way I know how to do it!
Anyway, it works now, thanks for your suggestions:

/userhomes/someuser = user:faculty 750 + r-x ACL for www (read_set won't do it, because you need execute permissions to open directories)
/userhomes/someuser/publish = user:faculty 755 + that same ACL

 

[Luke Jaeger]

What is the preferred method for setting default permissions on user-created files (inside user homes) in AD + Samba context?

 

[anodos]

What is the preferred method for setting default permissions on user-created files (inside user homes) in AD + Samba context?

That depends on how you're handling user homes in Samba (there are several ways of going about this). There are some directions on the samba wiki https://wiki.samba.org/index.php/User_home_drives. Just be sure to make appropriate freenas-specific changes (for instance, we use zfsacl, not acl_xattr. So don't mess with the vfs objects.)

I wrote up a brief how-to a while ago here: https://forums.freenas.org/index.php?threads/cifs-home-directories-in-ad-environment.27132/ I probably need to go through and clean it up.