[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL

Oleg Cherkasov o1e9.cherkasov at yandex.com
Wed Aug 8 16:45:23 UTC 2018

On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:
> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote:
>> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7 
>> installations started to ignore ACL settings and reject user access to 
>> shares.  All three servers are members of DC running on Windows Server 
>> 2008R2.  Everything has been running ok for last few year.  I have 
>> been upgrading Samba and FreeBSD installations and on last Friday 
>> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7 
>> and after restarting the services everything worked as expected.

Have found the issue, it is audit or full_audit vfs.  It seems if I 
remove 'vfs objects = full_audit' or 'vfs objects = audit' everything 
works as expected.

So the next question security and vfs_full_audit have some issue :(

>> [global]
>>         security = ADS
>>         workgroup = DOMAIN.LO
>>         realm = DOMAIN.LO
>>         password server =
>>         vfs objects = full_audit
>>         full_audit:prefix = %u|%m|%S
>>         full_audit:success = mkdir rmdir write pwrite rename unlink
>>         full_audit:failure = mkdir rmdir write pwrite rename unlink
>>         full_audit:facility = local5
>>         full_audit:priority = info

Does full_audit/audit works with ADS?

With 'vfs objects = full_audit' shares report root, wheels and Everyone 
in Security Permissions rather actual ACL.  Disabling full_audit 
immediately shows actual ACLs and I may update it as well.

More information about the samba mailing list