[Samba] permission problem with vfs object recycle:directory_mode

Nicolas me at electronico.nc
Sat Jul 23 10:39:45 UTC 2016


On 23/07/2016 20:02, Rowland penny wrote:
> On 23/07/16 07:58, Nicolas wrote:
>> Well,
>>
>> Despite I've recently answered about vfs  object recycle on this 
>> list, it seems that it isn't working as excepted.
>>
>> Using Samba 4.4.5, compiled from sources
>>
>> Here is the conf for a share:
>> [musique]
>>         path = /media/data/musique
>>         read only = No
>>         vfs objects = acl_xattr recycle
>>         recycle:directory_mode = 0770
>>         recycle:subdir_mode = 0700
>>         recycle:versions = Yes
>>         recycle:keeptree = Yes
>>         recycle:touch = Yes
>>         recycle:repository = .recycle
>>         full_audit:prefix = %U|%I|%S
>>         full_audit:success = connect disconnect mkdir rmdir open read 
>> write rename opendir unlink
>>         full_audit:failure = open write mkdir rmdir rename unlink
>>         full_audit:facility = local5
>>         full_audit:priority = NOTICE
>>
>>
>> recycle:directory_mode parameter is NEVER applied to the .recycle 
>> directory, default 0700 is ALWAYS applied (whatever value is set to 
>> recycle:directory_mode).
>>
>> Tested several times by :
>> modify smb.conf
>> killall samba
>> /usr/local/samba/sbin/samba
>>
>> Thanks in advance for for help.
>>
>> Nicolas
>>
>> (It turns out that only the first user who deletes a file has access 
>> to .recycle, files deleted by other users are unlinked, manually 
>> setting 0770 perms on .recycle makes it working as expected)
>>
>>
>>
>
>
> OK, just tested this on a DC (which is what you must be using as you 
> are starting the 'samba' binary) and it works for me.
> The .recycle bin gets created with 'drwxrwx---' permissions and whilst 
> the owner/group is 'SAMDOM\rowland SAMDOM\domain users', because the 
> group permissions are 'rwx' any users should be able to use it.
>
> The only differences between my setup and the one you posted are, I 
> didn't use the 'full_audit' lines and I didn't use the totally 
> unneeded 'acl_xattr' option to 'vfs objects'. You only need this on a 
> domain member.
>
> Rowland
>
>
Thanks Roland,
 From tests, it is the
> totally unneeded 'acl_xattr' option to 'vfs objects'
That causes this problem.
(By the way, it is not a 700 permission that is applied but a 750)
Thanks again !
Nicolas





More information about the samba mailing list