Samba Access Configuration ALL WRONG!

Just got this out of the box and setting it up to my AD Domain and all that, and I am slowly realizing that the way this thing handles user permissions is COMPLETELY WRONG!

In reading this article: My Cloud: Private Shares are Inaccessible (Access Denied) After Joining an Active Directory Domain

It basically describes that the smb configuration is as such that it explicitly denies access to ALL USERS AND GROUPS unless explicitly granted. This creates a HUGE security flaw in the methodology of how the samba configuration is generated.

Lets say Steve is a member of Group A which is granted access to a folder called “Extremely Sensitive”
Marnie is a member of Group B which is granted access to a folder called “Not Sensitive” and should NOT EVER have access to the “Extremely Sensitive” folder

The way the samba configuration is generated, if Steve is a member of Groups A and B, you also MUST grant Group A access to the “Extremely Sensitive” folder, which would break my requirement of not granting Marnie access to the “Extremely Sensitive” folder.

This is UNACCEPTABLE!

This is a complete and utter defect in how permissions are handled at in the my cloud software, this needs to be addressed and should be fixed ASAP!

So…
As a workaround, I wrote a small shell script that runs every 30 seconds to correct the smb.conf file

Script:

if grep -q “invalid user” /etc/samba/smb.conf; then
sed -i ‘/invalid users/d’ /etc/samba/smb.conf;
smb restart
date >> /home/root/smbupdate.log
echo “Removed SMB Users” >> /home/root/smbupdate.log
fi

Crontab Entries:

• • • • • sleep 30; /home/root/cleansmbconf.sh
• • • • • /home/root/cleansmbconf.sh

Not really the way I would prefer, but it serves its purpose until WD fixes this

Hi.

Is that really how it works?

For “Sensative”, you need to grant acess to both Steve AND group A.
For “Not Sensative” you need to grant Access to Steve, Group A, Marnie AND group B.

Since Marnie is not “steve”, she would not have access to “Sensitive”
Since Marnie is NOT in Group A, she would not have access to “Sensitive”

From the article; it sounds like even if group B has access to “Sensitive”; you still need to EXPLICITELY grant access to Marnie?

Am I looking at this wrong? Or is the Samba file not working the way the article describes?

Hey NAS_user

The only way to grant access to a share is to give all the groups the user is a member of a minimum of read only access to that share.

if you look at the table below (from the document) : all roads lead to deny access, unless you give all groups the user is a member of a minimum of read/only access to the data.

image1107×134 17.4 KB

Now who is to say that all members of those groups would require access to that share data, and how exclusive do you need to get to grant users to a share before it becomes an administrative nightmare?

In further investigation after my original post here’s what happens:

When you make a share. Every user and group is explicitly denied in the smb config file for each share under the ‘invalid users’. (not just ‘not granted’ access, but explicitly denied). As you grant users or groups access, they get moved to the “valid users”, “read users” and/or “write users” section of the share you are modifying in the config file.

Now (leveraging my above example), if Steve is in Groups A and B, not only do you have to grant steve the access he needs, but you also need to grant the groups he is a member of to a minimum of read only to get access to the share.

I guess if Marnie is not granted any access, even though her groups have access to the share she won’t be able to get to it, so my concern about access to a share that she shouldn’t have access to appears moot.

However, the administrative and nightmarish task of determining every group that a user is a member of to grant a minimum of read-only is a daunting task, especially if you are conforming to group based access roles for each folder (required by some standards). Not only that, but you also have to find all nested groups that the user could be a member of as well.

Again, as this is going in my homelab, not a big deal. But I’ve worked for organizations where user group memberships are in the dozens.

In the code, I found the section where it builds the SMB config file, it says that that part is there to support legacy environments. I am curious as to what legacy environment would require such an overarching deny first ask questions later type of access that would cause this much administrative overhead

Even though it’s not QUITE as bad as I perceived at the time I wrote my original post, the concept of how these permissions are managed STILL needs to be overhauled.

I mean, even just the UI kinda ■■■■■, I can’t even see the first couple of characters of my domain group names because of how tiny the area is where i select my groups, I have to hover just to see it. Users are the same way. The reality is the whole SMB/Share experience needs to be overhauled

Also, while I’m ranting. WHY IS THERE A SHARE I CAN’T DELETE?!?!

Thanks
/rant

hahahaha.

Look; I am a HUGE WD fanboy.

But even I freely admit that WD NAS software load is very 2015; not 2020.

More to the point. . . . . .these are definitely DEFINATELY consumer grade units; not enterprise class units. I suspect this may be fine if you have 1 to 5 users. If you have 40 users and 20 groups. . . .heh. . . I think you are definitely in “edge case” territory; and I suspect you will have other issues in using the device.

From my own experience; I have two users on my system. Generally only use one account; although I access from 4 or 5 different devices. Generally works fine - - - but I have tried to access from remote location (across the internet). . .it does work; but I would definitely consider it a bit flakey for that application -and I suspect security leaves something to be desired.

I suspect the WD Hardware is just fine for what you want to do. . … but the software is limited in a number of ways. I wonder if there is other NAS software (i.e. FreeNas or something like that) that ccan run on the box which is both more current and more suited to a heavy multiuser environment.

(Caveat: If you try other software; I am pretty sure this voids the warranty; and I would make sure you have a way to “go back” to the WD firmware.)

I have exactly the same kind of need
The WD MyCloudEX2 Ultra is used as network file server for the family.
I have few folder that I want to keep reserved.
Everything works fine for OS5 cloud App

I need to do the same for the direct access fom the computers. this does not seems to be possible
the table below try to summarize the issues

image836×195 4.74 KB