Add support of insecure wide links

group_vars/all/main.yml

@@ -2941,6 +2941,10 @@ samba_netbios_name:
 #
 samba_server_min_protocol: []
 
+# samba_allow_insecure_wide_links
+#
+samba_allow_insecure_wide_links: !!str no
+
 samba_groups: []
 
 # samba_user:

host_vars/zapata.opp.netz.yml

@@ -203,6 +203,8 @@ samba_netbios_name: ZAPATA
 
 samba_server_min_protocol: !!str NT1
 
+samba_allow_insecure_wide_links: !!str yes
+
 samba_groups:
   - name: buero
     group_id: 1100
@@ -412,6 +414,7 @@ samba_shares:
     group_write_list: buero
     file_create_mask: !!str 660
     dir_create_mask: !!str 2770
+    wide_links: !!str yes
     vfs_object_recycle: true
     recycle_path: '@Recycle'
 

roles/common/templates/etc/samba/smb.conf.j2

@@ -269,6 +269,30 @@
 # public shares, not just authenticated ones
    usershare allow guests = yes
 
+# In normal operation the option wide links which allows the server to follow
+# symlinks outside of a share path is automatically disabled when unix extensions
+# are enabled on a Samba server. This is done for security purposes to prevent
+# UNIX clients creating symlinks to areas of the server file system that the
+# administrator does not wish to export.
+#
+# Setting allow insecure wide links to true disables the link between these two
+# parameters, removing this protection and allowing a site to configure the server
+# to follow symlinks (by setting wide links to "true") even when unix extensions is
+# turned on.
+#
+# It is not recommended to enable this option unless you fully understand the
+# implications of allowing the server to follow symbolic links created by UNIX clients.
+# For most normal Samba configurations this would be considered a security hole and
+# setting this parameter is not recommended.
+#
+# This option was added at the request of sites who had deliberately set Samba up
+# in this way and needed to continue supporting this functionality without having to
+# patch the Samba code.
+#
+#    Default: allow insecure wide links = no
+#
+    allow insecure wide links = {{ samba_allow_insecure_wide_links|default('no') }}
+
 #======================= Share Definitions =======================
 
 # {{ ansible_managed }}
@@ -368,6 +392,26 @@
 
    force group = +{{ item.group_write_list }}
 {%    endif %}
+{%-  if item.wide_links is defined and item.wide_links|length > 0 %}
+   # This parameter controls whether or not links in the UNIX file system may be
+   # followed by the server. Links that point to areas within the directory tree
+   # exported by the server are always allowed; this parameter controls access only to
+   # areas that are outside the directory tree being exported.
+   #
+   # Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX
+   # clients to create symbolic links on the share that can point to files or
+   # directories outside restricted path exported by the share definition. This can
+   # cause access to areas outside of the share. Due to this problem, this paramete
+   # will be automatically disabled (with a message in the log file) if the unix
+   # extensions option is on.
+   #
+   # See the parameter allow insecure wide links if you wish to change this coupling
+   # between the two parameters.
+   #
+   # Default: wide links = no
+   #
+   wide links = yes
+{%    endif %}
 {%   if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
 {%      if item.recycle_path is defined and item.recycle_path|length > 0  %}