[Samba] vfs_recycle disables permissions inheritance on AD DC shares
Rowland penny
rpenny at samba.org
Mon Dec 2 16:53:58 UTC 2019
On 02/12/2019 16:24, Sebastian Arcus via samba wrote:
>
> I'm not sure what do you mean by 'sites'. They are a number of
> different physical sites, but they are independent small lan's, with
> no connection to each other, if that is the question? I have seen the
> advice in the wiki against using the DC as a file sharing server, but
> I am not clear as to why exactly that is a bad idea - and the wiki
> doesn't go into much detail. The servers certainly have performed very
> well for the past 3 years or so. These are small networks, with around
> 10 clients each.
>
For 'sites', see here:
https://wiki.samba.org/index.php/Active_Directory_Sites
Basically, it is how you seem to be running AD, it just enforces it a
bit more ;-)
Without 'sites' your clients could use the local DC, but they could also
any DC in your domain. With 'sites', they will use the local DC unless
it has failed.
For more info, see here:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology
>> You should have 'vfs objects = dfs_samba4 acl_xattr recycle'
>
> Thank you very much for this - now it is working. This lack of
> permissions inheritance issue has been plaguing me for months - it is
> very useful to finally find what has been causing it. Would it be a
> good idea to add the information above somewhere in the wiki, in case
> others will face the same issue at some point?
You are probably correct, but where to put it ???
It doesn't help that the tool for checking the smb.conf on a DC, does this:
root at dc4:~# samba-tool testparm -v 2>/dev/null | grep 'vfs objects'
vfs objects =
Whilst the old tool for checking a smb.conf does this:
root at dc4:~# testparm -v -s 2>/dev/null | grep 'vfs objects'
vfs objects = dfs_samba4 acl_xattr
And, no, I have no idea why the output is different ;-)
Rowland
More information about the samba
mailing list