[Samba] File share permissions act different on member server than on DC

Keith McCormick kdmxp512 at gmail.com
Tue Oct 15 19:14:39 MDT 2013

On 10/15/2013 10:46 AM, Marc Muehlfeld wrote:
> Hello Keith,
> Am 15.10.2013 03:29, schrieb Keith McCormick:
>> To enable my member server's ACLs to work just like the DC, as far as
>> Windows is concerned, I needed to add the following parameters to the
>> global section of smb.conf file on the member server:
>>          vfs objects = acl_xattr
>>          map acl inherit = yes
>>          store dos attributes = Yes
>> These parameters are apparently added in the background by default for
>> the smbd processes that are spawned by samba. Until I added those items,
>> just like you I could never get the ACLs to stick and work correctly.
>> Many of them were incorrectly labeled, also, even though the number was
>> correct and the same as on the DC.
> I tried your suggestion and it works like on the DC (without the VFS 
> module).
> But I'm not sure, if this is like Samba should act. I would expect 
> that filesystem ACLs are handled in the same way on a DC and on member 
> servers.
> Regards,
> Marc


I found those options by looking at the original way that samba4 starts 
its internal smbd process.  Those options were part of the configuration 
file that samba4 generated to give to smbd as it starts.  Now I believe 
they are added as standard options for smbd when started by samba, 
rather than in a temporarily generated configuration file.  That vfs 
module is still loaded by the DC's smbd process, its just not readily 
apparent by looking at the DC's smb.conf file.  Looking at commit 
's3-param: Handle setting default AD DC per-share settings... 
shows that the vfs object is loaded by default by smbd after parsing the 
gobal section of smb.conf when started by samba4.


More information about the samba mailing list