[Samba] Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled

Peter Eriksson pen at lysator.liu.se
Wed Feb 27 15:53:48 UTC 2019

We just noticed an interesting bug/misfeature on our Samba 4.9.4 servers (FreeBSD 11.2). The same effect is also visible on Samba 4.8.3 on CentOS 7.

Start with a directory that looks like this:

root at filur00:/tmp/test # ls -la
total 50
drwxrwx---   2 peter86  uf-iti-all   3 Feb 27 11:27 .
drwxrwxrwt  10 root     wheel       56 Feb 27 16:41 ..
-rw-rw----   1 mikha02  uf-iti-all   6 Feb 27 11:27 hello.txt

Ie, no ACLs, just “pure” Unix permission bits. Share it as usual via smb.conf.

With a smb.conf file with any “vfs objects” enabled (doesn’t matter which, or even with an empty list):

    vfs objects = ;; empty list
    vfs objects = shadow_copy2 zfsacl full_audit

Then if you (from a Windows machine) look at the file's Properties -> Security you will find that the Write access for the Group entry has been removed from the ACL list displayed (and Samba will give Windows users access errors when they try to write to that file).

With a smb.conf file without a “vfs objects” line you will correctly get the right Write Access for the Group in the ACL.

It feels like having any “vfs objects” config line removes some kind of default VFS module that does something that it should call instead of calling it last….

- Peter

More information about the samba mailing list