Samba extended ACLs being ignored (can mount on shares on Windows without any restrictions for AD users)?

Question

Trying to use Samba extended ACL (https://wiki.samba.org/index.php/Shares_with_Windows_ACLs) based on AD permissions, but do not seem to be working / being applied for shares on our CentOS7 server when mounting those shares on Windows 10 machines. Ie. no restrictions seem to be applied.

Even if removing myself from the various AD groups/CNs listed in the Security tab of a samba share that ostensibly have extended ACL functionality applied to it (via the Computer Mgmt UI (per the docs)), I can still mount and view its contents when mounting the network drive via Windows File Explorer despite not being in any of the AD security groups allowed.

The /etc/samba/smb.conf settings relating to extended ACLs appear to be set up as required for extended ACL functionality as per the docs (and the similar question here)...

Larger smb.conf snippet (everything but the various shares):

[root@myserver ~]# cat /etc/samba/smb.conf
[global]
security = ads
password server = adcontrollerserver.myorg.local
dedicated keytab file = /etc/krb5.keytab
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 3
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
the next line is only required on Samba versions less than 4.9.0
store dos attributes = Yes
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = tdb
idmap config * : range = 10000000-10999999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : range = 10000-20000
idmap config MYDOMAIN : unix_nss_info = yes
idmap config MYDOMAIN : unix_primary_group = no
username map = /usr/local/samba/etc/user.map
winbind enum users = yes
winbind enum groups = yes
Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
kerberos method = system keytab
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
winbind offline logon = yes
.
.
.

(as per https://www.samba.org/samba/docs/current/man-html/idmap_ad.8.html)

Editing the Security AD ACLs for the shares in the Computer Mgmt UI does flow though back to the host machine. That is, when logging out and back into the server as the AD-linked user and running

[myaduser@myserver ~]# groups

I can see the groups change there and access is/is not restricted based on how the ACLs were configured (note this does not work if you, say, sign in as root and su myaduser (you need to authenticate each time)). Yet, even when this works on the samba server itself, it does seem to work when mounting the shares on my local laptop or other Windows desktops on the network.

Anyone know what could be going on here? Something I'm missing? Any more info that would be helpful?

Answer 1

File ACL control access to files inside a share. They apply always, regardless of which share was used to access the file (you can set up shares so you can access same file via different path); if POSIX ACL mapping is uses as the VFS method these ACL will apply even for local users (i.e. even when accessing files without Samba).

Access to the share itself is controlled with valid users, invalid users, write list, admin users and similar per-share options in the smb.conf (or their Samba registry counterparts, see man smb.conf for details). This is another access setting, independent of file ACL. The user who is allowed in this setting is able to connect to a share (mount it, for instance), but not necessarily will be able to access files because of file ACL. This corresponds to the share security tab in Windows where you set who is allowed to connect to a share.