[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
Oleg Cherkasov
o1e9.cherkasov at yandex.com
Mon Aug 6 13:15:15 UTC 2018
Hi,
This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7
installations started to ignore ACL settings and reject user access to
shares. All three servers are members of DC running on Windows Server
2008R2. Everything has been running ok for last few year. I have been
upgrading Samba and FreeBSD installations and on last Friday upgraded to
the latest packages from samba47-4.7.6 to samba47-4.7.7 and after
restarting the services everything worked as expected.
Samba shares are on ZFS volume with ACL settings set to passthrough and
inherited. If I open Properties->Security then I do not see any of ACL
settings rather Everyone, root and Administrators set to special
permissions. ZFS ACLs on files/dirs are just fine according to
getfacl. wbinfo -u and -g, getent passwd returns users and groups as
expected. Listing with getfacl shows actual/resolved names. I may
modify ACL with setfacl of course.
Still If I open shares from Windows7/10 hosts it shows share, give me
access as an admin however all other users do not have access to those
shares.
I have tried to remove ACLs with setfacl for some shares and set ACL
from Windows7/10 Properties from the scratch however the problem
remains. If I try to modify Security settings I receive a error message
"The parameter is incorrect" for all files I try to update on.
One of the shares running as virtual server so I did made a snapshot and
tried to clean up /var/db/samba4/ so to start from scratch however it
did not help. It still rejects to update ACL/Security from Windows7/10
and whatever getfacl shows on server the client sees shares and
Eveybody, Administators (local on server) and root.
Here is an example of smb4.conf from one of the servers. It is
explicitly set to master (the others are set to master=no). That
configuration worked just fine for last 2 years or so with Samba 4.6.*
and recently 4.7.6 version and worked just fine on 4.7.7 after upgrade.
[global]
security = ADS
workgroup = DOMAIN.LO
realm = DOMAIN.LO
password server = 10.54.148.9
os level = 66
preferred master = yes
bind interfaces only = yes
interfaces = 10.54.148.51
log file = /var/log/samba4/%m.log
log level = 5
veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
delete veto files = yes
idmap config * : backend = tdb
idmap config * : range = 3000-79999
idmap config DOMAIN-LO : backend = rid
idmap config DOMAIN-LO : range = 80000-3000000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 64800
winbind max domain connections = 1
winbind normalize names = no
winbind offline logon = true
use sendfile = no
use mmap = yes
aio read size = 2048
aio write size = 2048
min receivefile size = 2048
write cache size = 2048
socket options = TCP_NODELAY IPTOS_LOWDELAY
large readwrite = yes
strict locking = no
strict sync = no
getwd cache = yes
read raw = yes
write raw = yes
unix extensions = no
map acl inherit = yes
nt acl support = yes
store dos attributes = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
map archive = no
map readonly = no
vfs objects = zfsacl streams_xattr
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = no
browseable = yes
guest ok = no
writable = yes
create mask = 0775
directory mask = 0775
csc policy = disable
access based share enum = yes
hide unreadable = yes
vfs objects = full_audit
full_audit:prefix = %u|%m|%S
full_audit:success = mkdir rmdir write pwrite rename unlink
full_audit:failure = mkdir rmdir write pwrite rename unlink
full_audit:facility = local5
full_audit:priority = info
[ShareA]
path = /data/sharea
admin users = @"DOMAIN-LO\LocalAdmins"
valid users = @"DOMAIN-LO\Domain Users"
[ShareB]
path = /data/shareb
admin users = @"DOMAIN-LO\LocalAdmins"
valid users = @"DOMAIN-LO\Domain Users"
Does anyone had similar issues?
It seems the problem is not with samba 4.7.7 upgrade because one of test
virtual hosts with almost identical configuration works just fine
still. Three other samba hosts lost ACL settings ...
Thanks!
Oleg
More information about the samba
mailing list