[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
Oleg Cherkasov
o1e9.cherkasov at yandex.com
Wed Aug 8 16:45:23 UTC 2018
On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:
> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote:
>>
>> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7
>> installations started to ignore ACL settings and reject user access to
>> shares. All three servers are members of DC running on Windows Server
>> 2008R2. Everything has been running ok for last few year. I have
>> been upgrading Samba and FreeBSD installations and on last Friday
>> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7
>> and after restarting the services everything worked as expected.
>>
Have found the issue, it is audit or full_audit vfs. It seems if I
remove 'vfs objects = full_audit' or 'vfs objects = audit' everything
works as expected.
So the next question security and vfs_full_audit have some issue :(
>> [global]
>> security = ADS
>> workgroup = DOMAIN.LO
>> realm = DOMAIN.LO
>> password server = 10.54.148.9
>>
...
>>
>> vfs objects = full_audit
>> full_audit:prefix = %u|%m|%S
>> full_audit:success = mkdir rmdir write pwrite rename unlink
>> full_audit:failure = mkdir rmdir write pwrite rename unlink
>> full_audit:facility = local5
>> full_audit:priority = info
Does full_audit/audit works with ADS?
With 'vfs objects = full_audit' shares report root, wheels and Everyone
in Security Permissions rather actual ACL. Disabling full_audit
immediately shows actual ACLs and I may update it as well.
More information about the samba
mailing list