[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL

Oleg Cherkasov o1e9.cherkasov at yandex.com
Mon Aug 6 13:15:15 UTC 2018 

Hi,

This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7 
installations started to ignore ACL settings and reject user access to 
shares.  All three servers are members of DC running on Windows Server 
2008R2.  Everything has been running ok for last few year.  I have been 
upgrading Samba and FreeBSD installations and on last Friday upgraded to 
the latest packages from samba47-4.7.6 to samba47-4.7.7 and after 
restarting the services everything worked as expected.

Samba shares are on ZFS volume with ACL settings set to passthrough and 
inherited.  If I open Properties->Security then I do not see any of ACL 
settings rather Everyone, root and Administrators set to special 
permissions.  ZFS ACLs on files/dirs are just fine according to 
getfacl.  wbinfo -u and -g, getent passwd returns users and groups as 
expected.  Listing with getfacl shows actual/resolved names.  I may 
modify ACL with setfacl of course.

Still If I open shares from Windows7/10 hosts it shows share, give me 
access as an admin however all other users do not have access to those 
shares.

I have tried to remove ACLs with setfacl for some shares and set ACL 
from Windows7/10 Properties from the scratch however the problem 
remains.  If I try to modify Security settings I receive a error message 
"The parameter is incorrect" for all files I try to update on.

One of the shares running as virtual server so I did made a snapshot and 
tried to clean up /var/db/samba4/ so to start from scratch however it 
did not help.  It still rejects to update ACL/Security from Windows7/10 
and whatever getfacl shows on server the client sees shares and 
Eveybody, Administators (local on server) and root.

Here is an example of smb4.conf from one of the servers.  It is 
explicitly set to master (the others are set to master=no).  That 
configuration worked just fine for last 2 years or so with Samba 4.6.* 
and recently 4.7.6 version and worked just fine on 4.7.7 after upgrade.

[global]
        security = ADS
        workgroup = DOMAIN.LO
        realm = DOMAIN.LO
        password server = 10.54.148.9

        os level = 66
        preferred master = yes

        bind interfaces only = yes
        interfaces = 10.54.148.51

        log file = /var/log/samba4/%m.log
        log level = 5

        veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
        delete veto files = yes

        idmap config * : backend = tdb
        idmap config * : range = 3000-79999
        idmap config DOMAIN-LO : backend = rid
        idmap config DOMAIN-LO : range = 80000-3000000

        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 64800
        winbind max domain connections = 1
        winbind normalize names = no
        winbind offline logon = true

        use sendfile = no
        use mmap = yes
        aio read size = 2048
        aio write size = 2048
        min receivefile size = 2048
        write cache size = 2048
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        large readwrite = yes
        strict locking = no
        strict sync = no
        getwd cache = yes
        read raw = yes
        write raw = yes
        unix extensions = no

        map acl inherit = yes
        nt acl support = yes
        store dos attributes = yes
        inherit acls = yes
        inherit owner = yes
        inherit permissions = yes
        map archive = no
        map readonly = no
        vfs objects = zfsacl streams_xattr
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = no

        browseable = yes
        guest ok = no
        writable = yes
        create mask = 0775
        directory mask = 0775
        csc policy = disable

        access based share enum = yes
        hide unreadable = yes

        vfs objects = full_audit
        full_audit:prefix = %u|%m|%S
        full_audit:success = mkdir rmdir write pwrite rename unlink
        full_audit:failure = mkdir rmdir write pwrite rename unlink
        full_audit:facility = local5
        full_audit:priority = info

[ShareA]
        path = /data/sharea
        admin users = @"DOMAIN-LO\LocalAdmins"
        valid users = @"DOMAIN-LO\Domain Users"

[ShareB]
        path = /data/shareb
        admin users = @"DOMAIN-LO\LocalAdmins"
        valid users = @"DOMAIN-LO\Domain Users"


Does anyone had similar issues?

It seems the problem is not with samba 4.7.7 upgrade because one of test 
virtual hosts with almost identical configuration works just fine 
still.  Three other samba hosts lost ACL settings ...


Thanks!
Oleg

More information about the samba mailing list