Add support of insecure wide links

group_vars/all/main.yml

@@ -1621,6 +1621,10 @@ samba_netbios_name: {}
 #
 samba_server_min_protocol: {}
 
+# samba_allow_insecure_wide_links
+#
+samba_allow_insecure_wide_links: !!str no
+
 samba_groups: []
 
 # samba_user:

group_vars/flr.yml

@@ -468,6 +468,8 @@ samba_server_cidr_prefix: 24
 samba_workgroup: FLR
 samba_netbios_name: FILE-FLR
 
+#samba_allow_insecure_wide_links: !!str yes
+
 samba_shares:
   - name: Team
     path: /data/samba/Team
@@ -556,6 +558,7 @@ samba_shares:
     group_write_list: team
     file_create_mask: '0660'
     dir_create_mask: '2770'
+    #wide_links: !!str yes
     vfs_object_recycle: true
     recycle_path: '@Recycle.Bin'
 

roles/common/templates/etc/samba/smb.conf.j2

@@ -269,6 +269,30 @@
 # public shares, not just authenticated ones
    usershare allow guests = yes
 
+# In normal operation the option wide links which allows the server to follow
+# symlinks outside of a share path is automatically disabled when unix extensions
+# are enabled on a Samba server. This is done for security purposes to prevent
+# UNIX clients creating symlinks to areas of the server file system that the
+# administrator does not wish to export.
+#
+# Setting allow insecure wide links to true disables the link between these two
+# parameters, removing this protection and allowing a site to configure the server
+# to follow symlinks (by setting wide links to "true") even when unix extensions is
+# turned on.
+#
+# It is not recommended to enable this option unless you fully understand the
+# implications of allowing the server to follow symbolic links created by UNIX clients.
+# For most normal Samba configurations this would be considered a security hole and
+# setting this parameter is not recommended.
+#
+# This option was added at the request of sites who had deliberately set Samba up
+# in this way and needed to continue supporting this functionality without having to
+# patch the Samba code.
+#
+#    Default: allow insecure wide links = no
+#
+    allow insecure wide links = {{ samba_allow_insecure_wide_links|default('no') }}
+
 #======================= Share Definitions =======================
 
 # {{ ansible_managed }}
@@ -368,6 +392,26 @@
 
    force group = +{{ item.group_write_list }}
 {%    endif %}
+{%-  if item.wide_links is defined and item.wide_links|length > 0 %}
+   # This parameter controls whether or not links in the UNIX file system may be
+   # followed by the server. Links that point to areas within the directory tree
+   # exported by the server are always allowed; this parameter controls access only to
+   # areas that are outside the directory tree being exported.
+   #
+   # Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX
+   # clients to create symbolic links on the share that can point to files or
+   # directories outside restricted path exported by the share definition. This can
+   # cause access to areas outside of the share. Due to this problem, this paramete
+   # will be automatically disabled (with a message in the log file) if the unix
+   # extensions option is on.
+   #
+   # See the parameter allow insecure wide links if you wish to change this coupling
+   # between the two parameters.
+   #
+   # Default: wide links = no
+   #
+   wide links = yes
+{%    endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}