Bug 10937 - access based share enum = yes not working
Summary: access based share enum = yes not working
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.1.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-14 16:17 UTC by Krishna Harathi
Modified: 2014-11-24 16:04 UTC (History)
0 users

See Also:


Attachments
attachment-1516640-0.html (2.11 KB, text/html)
2014-11-24 16:04 UTC, Krishna Harathi
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Krishna Harathi 2014-11-14 16:17:12 UTC
I have configured only one user to read/write that share and
we would like to configure such that all other users who 
tried to enumerate shares from a client, will not find this 
specific restricted share in the enum list.

So we tried "access based shre enum = yes" both in the global section
and share-specific section in smb,conf.

But all clients were able to list using "net view".

Here is part of the relevant smb.conf

[Global]
access based share enum = yes
[RestrictShare1]
access based share enum = yes
read list = user1000000,
write list = user1000000,
guest ok = no
valid users = user1000000,
path = /mnt/exportfs/c761f338c84c44324bfd676a1f43c6409996afdc
read only = no
Comment 1 Jeremy Allison 2014-11-21 22:59:40 UTC
This is actually working as designed - just the documentation sucks on it :-).

access based share enum

causes smbd to look at the share *security descriptor*, which is stored inside the share_info.tdb, not the listed permissions on the share in the smb.conf.

You need to use the Windows share admin tool to set a security descriptor on the share, not the permissions in the smb.conf.

The reason for this is that it's actually quite hard to determine if a user would have access to a share at enumeration time, due to things like "force user" etc. on a share definition. So currently this only checks the SD stored for the share, not the text based perms.

Jeremy.
Comment 2 Krishna Harathi 2014-11-24 16:04:12 UTC
Created attachment 10455 [details]
attachment-1516640-0.html

Jeremy,

Thanks for taking the time and explaining the behavior, appreciated.

Regards.
Krishna Harathi

On Fri, Nov 21, 2014 at 2:59 PM, <samba-bugs@samba.org> wrote:

> https://bugzilla.samba.org/show_bug.cgi?id=10937
>
> Jeremy Allison <jra@samba.org> changed:
>
>            What    |Removed                     |Added
>
> ----------------------------------------------------------------------------
>              Status|NEW                         |RESOLVED
>          Resolution|---                         |WORKSFORME
>
> --- Comment #1 from Jeremy Allison <jra@samba.org> ---
> This is actually working as designed - just the documentation sucks on it
> :-).
>
> access based share enum
>
> causes smbd to look at the share *security descriptor*, which is stored
> inside
> the share_info.tdb, not the listed permissions on the share in the
> smb.conf.
>
> You need to use the Windows share admin tool to set a security descriptor
> on
> the share, not the permissions in the smb.conf.
>
> The reason for this is that it's actually quite hard to determine if a user
> would have access to a share at enumeration time, due to things like "force
> user" etc. on a share definition. So currently this only checks the SD
> stored
> for the share, not the text based perms.
>
> Jeremy.
>
> --
> You are receiving this mail because:
> You reported the bug.
>