[Samba] vfs_recycle disables permissions inheritance on AD DC shares

Sebastian Arcus s.arcus at open-t.co.uk
Mon Dec 2 15:32:37 UTC 2019 

On 02/12/19 15:10, Rowland penny via samba wrote:
> On 02/12/2019 14:28, Sebastian Arcus via samba wrote:
>> Apologies if this is a documented feature and I missed it - I've been 
>> googling and reading through the docs but haven't spotted any mention 
>> anywhere. Is the vfs_recycle feature officially being supported with 
>> Samba in AD mode? I have a few AD DC's with file shares on them - and 
>> have been struggling with file permissions not being inherited on the 
>> file shares. I have finally narrowed it down to the fact that if I 
>> enable the vfs_recycle module on the shares, this disables permission 
>> inheritance on the respective share. Could anybody confirm this please 
>> - or am I doing something wrong?
>>
> Problem is that using a Samba AD DC as a fileserver isn't really 
> recommended, I personally would only recommend using a DC as a 
> fileserver if it was the only DC (soho). You have multiple DCs, so don't 
> use them as fileservers, add a Unix domain member and use that instead.

Thank you for the quick reply. I should have mentioned that these DC's 
are at at different sites. At each site there is only one Linux server - 
hence why the DC is also the file server.

>> I am on Samba 4.10.8 and 4.9.4, Slackware 64, as mentioned above all 
>> servers are AD DC's, the file system is EXT4, and here is my smb.conf:
>>
>> [global]
>>   netbios name = MY-SERVER-NAME
>>   realm = MYDOMAIN.LAN
>>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>> winbindd, ntp_signd, kcc, dnsupdate
>>   workgroup = MYDOMAIN
>>   server role = active directory domain controller
>>   idmap_ldb:use rfc2307 = yes
>>   ntlm auth = yes
>>   time server = yes
>>
>> [netlogon]
>>   path = /var/lib/samba/sysvol/mydomain.lan/scripts
>>   read only = No
>>
>> [sysvol]
>>    path = /var/lib/samba/sysvol
>>    read only = No
>>
>> [shared_files]
>>   path = /srv/samba/shared_files
>>   read only = No
>>
>>   vfs objects = recycle
> As you have surmised, the above line is your problem, you have turned 
> off the default vfs objects built into a Samba AD DC

I'm afraid I'm not sufficiently familiar with vfs objects and how they 
work - I only used the configuration above based on the recommended 
configs in the wiki. Are you saying above that I could have configured 
the vfs recycle without using the "vfs objects = recycle" line - that it 
isn't actually necessary in order to activate the recycle bin?

Thank you

More information about the samba mailing list