[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL

Dante Colo dante.colo at stwbrasil.com
Wed Aug 8 20:30:53 UTC 2018 

If you add to vfs module to a share you also have to explicit add acl_xattr , that's what i do when i want to add another module and keep acl_xattr on the same share, if i'm not doing right way  someone correct me .



----- Original Message -----
From: "samba" <samba at lists.samba.org>
To: "samba" <samba at lists.samba.org>
Cc: "Oleg Cherkasov" <o1e9.cherkasov at yandex.com>
Sent: Wednesday, August 8, 2018 1:45:23 PM
Subject: Re: [Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL

On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:
> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote:
>>
>> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7 
>> installations started to ignore ACL settings and reject user access to 
>> shares.  All three servers are members of DC running on Windows Server 
>> 2008R2.  Everything has been running ok for last few year.  I have 
>> been upgrading Samba and FreeBSD installations and on last Friday 
>> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7 
>> and after restarting the services everything worked as expected.
>>

Have found the issue, it is audit or full_audit vfs.  It seems if I 
remove 'vfs objects = full_audit' or 'vfs objects = audit' everything 
works as expected.

So the next question security and vfs_full_audit have some issue :(

>> [global]
>>         security = ADS
>>         workgroup = DOMAIN.LO
>>         realm = DOMAIN.LO
>>         password server = 10.54.148.9
>>
...
>>
>>         vfs objects = full_audit
>>         full_audit:prefix = %u|%m|%S
>>         full_audit:success = mkdir rmdir write pwrite rename unlink
>>         full_audit:failure = mkdir rmdir write pwrite rename unlink
>>         full_audit:facility = local5
>>         full_audit:priority = info

Does full_audit/audit works with ADS?

With 'vfs objects = full_audit' shares report root, wheels and Everyone 
in Security Permissions rather actual ACL.  Disabling full_audit 
immediately shows actual ACLs and I may update it as well.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list