[Samba] SaMBa 4.16.4 adds users to ACLs as groups

Wed Jun 7 16:44:05 UTC 2023

Dear All,

 Thank you for your help (especially Rowland Penny), I finally managed to
migrate our ancient ext3 based, ISO-8859-2 encoded SaMBa 3.2.5 with locally
stored UIDs and GIDs to a UTF-8 encoded ex4 based server running SaMBa
4.16.4 with RID UID/GID backend.

 However, after two weeks of the migration I observed something horrible:
Windows Word (or MS Office in general) somehow manages to chown every saved
file to the acting user, putting the original owner to a POSIX ACL. It
means that slowly every user ever editing that document will be accumulated
in its POSIX ACL. Not only MS Office, but the gvfsd-fuse backend of KDE
does some horror: It also manages to chown a file it has write access to
only via the "other (users)" POSIX bits, but the instead of adding users to
the POSIX ACL, it removes the access from the "other (users)" bits.

 OK, let's assume it's not a bug, but a feature (
https://superuser.com/questions/1491076/disable-word-from-creating-acls-on-samba-fileshare
or
https://superuser.com/questions/289866/how-do-i-avoid-changing-a-files-linux-permissions-when-saving-over-a-samba-conn
). But if so, what is the recommended solution to prevent SaMBa from
letting programs - intended only to write the content of files - change
permissions in addition? Shoud I really simply disable "nt acl support"?

 But even when considering this a feature, the newer SaMBa (4.16.4) does
something, I can only consider being a bug: It needlessly adds the owning
group to the POSIX ACL upon saving by MS Word, and additionally it adds
users (except the acting user) to the POSIX ACL as GROUPS!!! It means there
are NONEXISTENT groups added to the POSIX ACL which have the same GIDs as
the UIDs of the users in the ACL:

# file: file.docx
# owner: user_1
# group: domain\040users
user::rw-
user:domain\040users:rw-
user:user_2:rw-
user:user_1:rw-
group::rw-
group:domain\040users:rw-  #This is unnecessary, since it equals the owning
group. SaMBa 3.2.5 doesn't add this.
group:user_2:rw- #This is not only unnecessary, but also nonexistent. This
is a UID not a GID!
mask::rwx
other::rw-

 I also observed that UIDs are erroneously added as groups to the POSIX ACL
by SaMBa 4.16.4 when manually adding users to the NT ACL with file explorer
(by editing permissions), not only by saving with MS Word. I assume this
means that Word only wants to add UIDs to the ACL but because of some bug,
SaMBa 4.16.4 duplicates every UID as GID (except the acting user's) when
adding it to a POSIX ACL. Do you consider it a bug, and if so, is it
already known, or unknown? Is there any fix or workaround?

Thank you for your answer,

NÉMETH, Tamás