Bug 10937 - access based share enum = yes not working
Summary: access based share enum = yes not working
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.1.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-14 16:17 UTC by Krishna Harathi
Modified: 2014-11-24 16:04 UTC (History)
0 users

See Also:

Attachments
attachment-1516640-0.html (2.11 KB, text/html)
2014-11-24 16:04 UTC, Krishna Harathi 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Krishna Harathi 2014-11-14 16:17:12 UTC 
I have configured only one user to read/write that share and
we would like to configure such that all other users who 
tried to enumerate shares from a client, will not find this 
specific restricted share in the enum list.

So we tried "access based shre enum = yes" both in the global section
and share-specific section in smb,conf.

But all clients were able to list using "net view".

Here is part of the relevant smb.conf

[Global]
access based share enum = yes
[RestrictShare1]
access based share enum = yes
read list = user1000000,
write list = user1000000,
guest ok = no
valid users = user1000000,
path = /mnt/exportfs/c761f338c84c44324bfd676a1f43c6409996afdc
read only = no
Comment 1 Jeremy Allison 2014-11-21 22:59:40 UTC 
This is actually working as designed - just the documentation sucks on it :-).

access based share enum

causes smbd to look at the share *security descriptor*, which is stored inside the share_info.tdb, not the listed permissions on the share in the smb.conf.

You need to use the Windows share admin tool to set a security descriptor on the share, not the permissions in the smb.conf.

The reason for this is that it's actually quite hard to determine if a user would have access to a share at enumeration time, due to things like "force user" etc. on a share definition. So currently this only checks the SD stored for the share, not the text based perms.

Jeremy.
Comment 2 Krishna Harathi 2014-11-24 16:04:12 UTC 
Created attachment 10455 [details]
attachment-1516640-0.html

Jeremy,

Thanks for taking the time and explaining the behavior, appreciated.

Regards.
Krishna Harathi

On Fri, Nov 21, 2014 at 2:59 PM, <samba-bugs@samba.org> wrote:

> https://bugzilla.samba.org/show_bug.cgi?id=10937
>
> Jeremy Allison <jra@samba.org> changed:
>
>            What    |Removed                     |Added
>
> ----------------------------------------------------------------------------
>              Status|NEW                         |RESOLVED
>          Resolution|---                         |WORKSFORME
>
> --- Comment #1 from Jeremy Allison <jra@samba.org> ---
> This is actually working as designed - just the documentation sucks on it
> :-).
>
> access based share enum
>
> causes smbd to look at the share *security descriptor*, which is stored
> inside
> the share_info.tdb, not the listed permissions on the share in the
> smb.conf.
>
> You need to use the Windows share admin tool to set a security descriptor
> on
> the share, not the permissions in the smb.conf.
>
> The reason for this is that it's actually quite hard to determine if a user
> would have access to a share at enumeration time, due to things like "force
> user" etc. on a share definition. So currently this only checks the SD
> stored
> for the share, not the text based perms.
>
> Jeremy.
>
> --
> You are receiving this mail because:
> You reported the bug.
>