[Samba] File share permissions act different on member server than on DC

Keith McCormick kdmxp512 at gmail.com
Mon Oct 14 19:29:00 MDT 2013


To enable my member server's ACLs to work just like the DC, as far as 
Windows is concerned, I needed to add the following parameters to the 
global section of smb.conf file on the member server:

         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = Yes

These parameters are apparently added in the background by default for 
the smbd processes that are spawned by samba. Until I added those items, 
just like you I could never get the ACLs to stick and work correctly. 
Many of them were incorrectly labeled, also, even though the number was 
correct and the same as on the DC.

Something to note: I believe the vfs object parameter does require that 
xattrs work on the file system that you use.


On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote:
 > Hello,
 > a while ago I wrote the
 > http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo.
 > When I wrote the HowTo, I setup and configured the share on a DC - what
 > still works like described. Today I tried the first time to do exactly
 > the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work 
 > The share in smb.conf:
 > [demo]
 >     path = /srv/samba/Demo
 >     read only = no
 > The folder in the filesystem (XFS):
 > drwxr-xr-x   2 root root        6 13. Okt 22:16 /srv/samba/Demo
 > I connect to the share as Domain Admin, right-click to it and go to the
 > "security" tab. Here I see now "everyone" and two "root" entries.
 > - I click the "edit" button and remove the two "root" entries. When I
 > click "apply", everything is reset (the two entries went back".
 > - If i grant "modify" to "everyone" - where all "allow" entries are
 > empty per default and click "apply", then all boxes are checked
 > automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP"
 > appear. And this two can't be removed as well any more.
 > If I do exactly the same on a DC, then already the security tab shows on
 > the first time I open it very different settings. The wiki screenshot
 > shows them:
 > http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But
 > the folder on Linux side is also just 755 (and without any extended ACLs
 > when I begin). Also whatever I change (like remove "root" from the ACLs)
 > everything is done like expected and saved.
 > The member server is also self compiled. I installed all packages on my
 > RHEL6 that I have installed on the DC too.
 > Any idea what could be different on a 4.x member than on a DC? Or did I
 > find a bug?
 > Regards
 > Marc

More information about the samba mailing list