[Samba] ACLs woes after upgrade from 3.6 to 4.9.5
Rowland penny
rpenny at samba.org
Fri Feb 26 15:10:47 UTC 2021
On 26/02/2021 14:27, Emmanuel Florac via samba wrote:
> Hi all,
>
> I've upgraded a Debian server that was still running 3.6.20 to the
> current Debian stable with samba 4.9.5. The smb.conf file hasn't been
> changed and has many weird entries, but the big problem is that ACLs
> behaviour completely changed.
>
> Typically, when copying/moving files, they get entirely different
> rights than the source. On-disk ACLs haven't been changed, so I suppose
> that's the Samba default that have. I don't want to try randomly
> enabling / disabling posix acls / inherit acls settings...
>
>
> Here's the smb.conf:
>
> [global]
> block size = 4096
> directory mask = 0775
> disable spoolss = yes
> dns proxy = no
> domain master = no
> encrypt passwords = true
> guest account = nobody
> idmap gid = 10000-20000
> idmap uid = 10000-20000
> invalid users = root
> load printers = no
> local master = no
> max log size = 1000
> name resolve order = wins lmhosts host bcast
> nt acl support = yes
> obey pam restrictions = yes
> os level = 20
> panic action = /usr/share/samba/panic-action %d
> passdb backend = tdbsam
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n . passwd program = /usr/bin/passwd
> %u preferred master = no
> preserve case = yes
> printcap name = /dev/null
> printing = bsd
> security = user
> server string = %h server (Samba %v)
> short preserve case = yes
> syslog = 0;
> syslog only = no
> template shell = /bin/false
> unix password sync = yes
> winbind cache time = 10
> winbind enum groups = yes
> winbind enum users = yes
> winbind separator = +
> wins server = 127.0.0.1
> wins support = no
> workgroup = WORKGROUP
> usershare max shares = 0
>
> [Masters]
> writeable = yes
> path = /mnt/raid/Masters
OK, how do you think you are running Samba ?
As a standalone server or as a Unix domain member ?
Your smb.conf seems to be a mixture of the two:
'security = user' == standalone server
idmap gid = 10000-20000
idmap uid = 10000-20000
winbind cache time = 10
winbind enum groups = yes
winbind enum users = yes
winbind separator = +
wins server = 127.0.0.1
The above lines would only be used on a Unix domain member (an NT4-style
domain member), but the last line is curious.
Rowland
More information about the samba
mailing list