[Samba] ACLs woes after upgrade from 3.6 to 4.9.5

Rowland penny rpenny at samba.org
Fri Feb 26 15:10:47 UTC 2021 

On 26/02/2021 14:27, Emmanuel Florac via samba wrote:
> Hi all,
>
> I've upgraded a Debian server that was still running 3.6.20 to the
> current Debian stable with samba 4.9.5. The smb.conf file hasn't been
> changed and has many weird entries, but the big problem is that ACLs
> behaviour completely changed.
>
> Typically, when copying/moving files, they get entirely different
> rights than the source. On-disk ACLs haven't been changed, so I suppose
> that's the Samba default that have. I don't want to try randomly
> enabling / disabling posix acls / inherit acls settings...
>
>
> Here's the smb.conf:
>
> [global]
>          block size = 4096
>          directory mask = 0775
>          disable spoolss = yes
>          dns proxy = no
>          domain master = no
>          encrypt passwords = true
>          guest account = nobody
>          idmap gid = 10000-20000
>          idmap uid = 10000-20000
>          invalid users = root
>          load printers = no
>          local master = no
>          max log size = 1000
>          name resolve order = wins lmhosts host bcast
>          nt acl support = yes
>          obey pam restrictions = yes
>          os level = 20
>          panic action = /usr/share/samba/panic-action %d
>          passdb backend = tdbsam
>          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n . passwd program = /usr/bin/passwd
> %u preferred master = no
>          preserve case = yes
>          printcap name = /dev/null
>          printing = bsd
>          security = user
>          server string = %h server (Samba %v)
>          short preserve case = yes
>          syslog = 0;
>          syslog only = no
>          template shell = /bin/false
>          unix password sync = yes
>          winbind cache time = 10
>          winbind enum groups = yes
>          winbind enum users = yes
>          winbind separator = +
>          wins server = 127.0.0.1
>          wins support = no
>          workgroup = WORKGROUP
>          usershare max shares = 0
>
> [Masters]
>          writeable = yes
>          path = /mnt/raid/Masters


OK, how do you think you are running Samba ?

As a standalone server or as a Unix domain member ?

Your smb.conf seems to be a mixture of the two:

'security = user' == standalone server

         idmap gid = 10000-20000
         idmap uid = 10000-20000
         winbind cache time = 10
         winbind enum groups = yes
         winbind enum users = yes
         winbind separator = +
         wins server = 127.0.0.1

The above lines would only be used on a Unix domain member (an NT4-style 
domain member), but the last line is curious.

Rowland

More information about the samba mailing list