[Samba] vfs_recycle disables permissions inheritance on AD DC shares

[Rowland penny]

On 02/12/2019 14:28, Sebastian Arcus via samba wrote:
> Apologies if this is a documented feature and I missed it - I've been 
> googling and reading through the docs but haven't spotted any mention 
> anywhere. Is the vfs_recycle feature officially being supported with 
> Samba in AD mode? I have a few AD DC's with file shares on them - and 
> have been struggling with file permissions not being inherited on the 
> file shares. I have finally narrowed it down to the fact that if I 
> enable the vfs_recycle module on the shares, this disables permission 
> inheritance on the respective share. Could anybody confirm this please 
> - or am I doing something wrong?
>
Problem is that using a Samba AD DC as a fileserver isn't really 
recommended, I personally would only recommend using a DC as a 
fileserver if it was the only DC (soho). You have multiple DCs, so don't 
use them as fileservers, add a Unix domain member and use that instead.
> I am on Samba 4.10.8 and 4.9.4, Slackware 64, as mentioned above all 
> servers are AD DC's, the file system is EXT4, and here is my smb.conf:
>
> [global]
>   netbios name = MY-SERVER-NAME
>   realm = MYDOMAIN.LAN
>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>   workgroup = MYDOMAIN
>   server role = active directory domain controller
>   idmap_ldb:use rfc2307 = yes
>   ntlm auth = yes
>   time server = yes
>
> [netlogon]
>   path = /var/lib/samba/sysvol/mydomain.lan/scripts
>   read only = No
>
> [sysvol]
>    path = /var/lib/samba/sysvol
>    read only = No
>
> [shared_files]
>   path = /srv/samba/shared_files
>   read only = No
>
>   vfs objects = recycle
As you have surmised, the above line is your problem, you have turned 
off the default vfs objects built into a Samba AD DC

Rowland