[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
Dante Colo
dante.colo at stwbrasil.com
Wed Aug 8 20:30:53 UTC 2018
If you add to vfs module to a share you also have to explicit add acl_xattr , that's what i do when i want to add another module and keep acl_xattr on the same share, if i'm not doing right way someone correct me .
----- Original Message -----
From: "samba" <samba at lists.samba.org>
To: "samba" <samba at lists.samba.org>
Cc: "Oleg Cherkasov" <o1e9.cherkasov at yandex.com>
Sent: Wednesday, August 8, 2018 1:45:23 PM
Subject: Re: [Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:
> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote:
>>
>> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7
>> installations started to ignore ACL settings and reject user access to
>> shares. All three servers are members of DC running on Windows Server
>> 2008R2. Everything has been running ok for last few year. I have
>> been upgrading Samba and FreeBSD installations and on last Friday
>> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7
>> and after restarting the services everything worked as expected.
>>
Have found the issue, it is audit or full_audit vfs. It seems if I
remove 'vfs objects = full_audit' or 'vfs objects = audit' everything
works as expected.
So the next question security and vfs_full_audit have some issue :(
>> [global]
>> security = ADS
>> workgroup = DOMAIN.LO
>> realm = DOMAIN.LO
>> password server = 10.54.148.9
>>
...
>>
>> vfs objects = full_audit
>> full_audit:prefix = %u|%m|%S
>> full_audit:success = mkdir rmdir write pwrite rename unlink
>> full_audit:failure = mkdir rmdir write pwrite rename unlink
>> full_audit:facility = local5
>> full_audit:priority = info
Does full_audit/audit works with ADS?
With 'vfs objects = full_audit' shares report root, wheels and Everyone
in Security Permissions rather actual ACL. Disabling full_audit
immediately shows actual ACLs and I may update it as well.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list