[Freeipa-users] samba & IPA

Jeremy Agee jagee at redhat.com
Thu Feb 23 23:48:40 UTC 2012 

On 02/23/2012 05:01 PM, Alexander Bokovoy wrote:
> On Tue, 21 Feb 2012, Steven Jones wrote:
>
>> Hi,
>>
>> Any good docs on making samba / smbclient / clients work with ipa?
>> not having much luck with google....
> The stack of protocols that Samba is implementing disassociates
> authentication and actual connection to the shares. First you
> authenticate and once authenticated, you can connect to any share
> within the server. At this point there might be per-share limitations
> put on but authentication step is done already.
>
> As part of authentication, Samba may enforce PAM accounting
> restrictions if 'obey pam restriction' option is set in the
> configuration file. This would give you a way to enforce HBAC rules
> per user connected to the server -- make sure your smbd PAM config is
> using sssd for accounting purposes and then SSSD would do checks over
> HBAC rules with 'smbd' service.
>
> However, this would only limit access to the host globally as it
> happens during authentication phase, not later, when actual connection
> to the share would be done.
>
> In order to limit per-share connection, Samba has 'valid users' and
> 'allow hosts' options. These specify lists of users and hosts
> correspondingly. Unfortunately, the way it is implemented in Samba,
> these lists are taken directly from the configuration source, thus no
> way to dynamically change them other than playing with configuration
> files.
>
> One could do configuration file tuning per connected host, for
> example, or per user, using 'include = /path/to/config' and Samba
> configuration macros. This would still not give you dynamic
> configuration though.
>
> One could also do a 'preexec script' hook that is run before
> connection to a share is made. This approach allows you to implement a
> simple PAM-enabled tool that could be spawned from Samba at connection
> to share time and use SSSD HBAC tests (on PAM account) plus something
> additional to perform per-share restriction (see below why).
>
> All other methods would require modifying Samba to change
> 'allow_access()' function API and implementation. This is not planned
> at the moment -- neither from FreeIPA nor from Samba Team side. There
> are also considerable performance requirements to this particular
> function.
>
> However, even if anything like that is performed, we have one specific
> issue that HBAC rules do not allow to differentiate between service
> and its (optional) sub-services. You can think about shares as
> sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to
> specify those. Ideally, ipaHBACService object class could be extended
> to include sub-services but handling those in UI would become a
> nightmare -- after all, you'll need to have as much ipaHBACService
> objects as number of servers x number of shares. Something better
> needs to be created.
>
You should also be able to use the filesystem to control access to the 
smb share.  If acl support is on the filesytem, you can use these as 
well.  Samba should have "nt acl support = Yes" set by default.

/etc/samba/smb.conf
[global]
     workgroup = HOME
     netbios name = corona
     realm = HOME.LAN
     security = user
     kerberos method = system keytab
[test]
     comment = test
     path = /samba
     writable = yes
     read only = no
     create mask = 0660
     directory mask = 770
[test2]
     comment = test2
     path = /samba2
     writable = yes
     read only = no
     create mask = 0660
     directory mask = 770

[root at corona samba]# ls -la /samba*
/samba:
total 108
drwxrws---.  2 jagee ipausers  4096 Feb 23 18:11 .

/samba2:
total 8
drwxrws---.  2 bob  bob  4096 Feb 23 18:14 .


[jagee at ultra ~]$ smbclient -k //corona.home.lan/test
Domain=[HOME] OS=[Unix] Server=[Samba 3.5.10-114.el6]
smb: \> put Resume.odt
putting file Resume.odt as \Resume.odt (403.6 kb/s) (average 403.6 kb/s)

[jagee at ultra ~]$ smbclient -k //corona.home.lan/test2
Domain=[HOME] OS=[Unix] Server=[Samba 3.5.10-114.el6]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
Error in dskattr: NT_STATUS_ACCESS_DENIED

[jagee at ultra ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_10003_I3kJiy
Default principal: jagee at HOME.LAN

Valid starting     Expires            Service principal
02/23/12 17:11:46  02/24/12 17:11:46  krbtgt/HOME.LAN at HOME.LAN
02/23/12 17:14:33  02/24/12 17:11:46  cifs/corona.home.lan at HOME.LAN

AD support is a lot different from basic security=user access.

Regards,
Jeremy Agee

More information about the Freeipa-users mailing list