[Samba] Samba 4 AD share: Access denied

Davor Vusir davortvusir at gmail.com
Tue Aug 12 21:55:29 MDT 2014

2014-08-12 22:29 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 12/08/14 20:41, Davor Vusir wrote:
>> In my first setup, a combined (compiled) AD DC and file server I never
>> got it to work with "vfs objects = acl_xattr" in the global section. I
>> had two more shares and could not get the permissions to work until I
>> put "vfs objects = acl_xattr" in the share sections. The shares were
>> on LVM volumes mapped to directories later shared with Samba. My
>> conclusion is that "vfs objects = acl_xattr" in the global section on
>> a AD DC does not extend (or how to put it) beyond the netlogon and
>> sysvol shares. I have not tested this configuration on one (1) mounted
>> LVM volume where /usr/local and Sambashares reside.
> If you add "vfs objects = acl_xattr" to smb.conf on a Samba 4 AD DC, you are
> turning off the 'dfs_samba4' vfs module. If you run 'testpam
> --suppress-prompt --verbose', you will find 'vfs objects = dfs_samba4,
> acl_xattr'.
I'm aware of that.

But putting "vfs objects = acl_xattr", "vfs objects = dfs_samba4,
acl_xattr" or using the default setting from domain provisioning
didn't solve the ACL problem on the selfdefined shares.

And it was a discussion on samba-technical about this using btrfs.
Ended in a bugreport if I remember correctly.

>> I have now changed the setup to a dedicated virtual AD DC and a
>> physical file server because of poor network performance. After the
>> switch I experienced the same; proper permissions denies access... The
>> setup is still the same; mounted LVM volumes later shared with samba.
>> By removing "vfs objects = acl_xattr, map acl inherit = Yes and store
>> dos attributes = Yes" from the global section, as mentioned in
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs,
> You only add these line to a member server, they are not required on the AD
> DC.
I'm aware of that. And the second paragraph describes a file server

What I'm trying to say is that these settings do not work on a file
server with mounted LVM-volumes later shared with Samba. And I wonder
why map acl inherit = Yes and store dos attributes = Yes are doing in
the global section of smb.conf when they are marked as settings used
on a share. Nevertheless, it does not work on the file server with
mounted LVM-formatted with ext4 and later shared with Samba.

I'm also aware of that it is not possible/doable to cover every use
case on a wikipage that exemplifies a configuration. You have to do
your homework.

In my case, the setting "vfs objects = acl_xattr" in the global
section do not 'spill over' on the share sections.



> Rowland
>> and instead putting "vfs objects = acl_xattr" in the share section
>> solves it. If you are using more vfs objects you may have to reorder
>> them. And I also noticed that removing Everyone from the Share tab
>> will neither let you edit nor remove ACE:s in the Security tab. So
>> first let Everyone be there, add Domain Admins, press Apply. Add
>> Domain Admins to the ACL, press Apply. Take ownership. After this
>> procedure you are able to edit ACE:s. This will not guarantee that
>> inheritence is correct. Again, "vfs objects = acl_xattr" in the global
>> section does not seem to extend beyond global section. And I'm not
>> sure why "map acl inherit = Yes and store dos attributes = Yes" are in
>> the global section (I'm using neither). Both belongs to a share
>> section according to
>> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html.
>> Hope it helps.
>> Regards
>> Davor
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list