[Samba] Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled
rpenny at samba.org
Wed Feb 27 16:17:00 UTC 2019
On Wed, 27 Feb 2019 16:53:48 +0100
Peter Eriksson via samba <samba at lists.samba.org> wrote:
> We just noticed an interesting bug/misfeature on our Samba 4.9.4
> servers (FreeBSD 11.2). The same effect is also visible on Samba
> 4.8.3 on CentOS 7.
> Start with a directory that looks like this:
> root at filur00:/tmp/test # ls -la
> total 50
> drwxrwx--- 2 peter86 uf-iti-all 3 Feb 27 11:27 .
> drwxrwxrwt 10 root wheel 56 Feb 27 16:41 ..
> -rw-rw---- 1 mikha02 uf-iti-all 6 Feb 27 11:27 hello.txt
> Ie, no ACLs, just “pure” Unix permission bits. Share it as usual via
> With a smb.conf file with any “vfs objects” enabled (doesn’t matter
> which, or even with an empty list):
> vfs objects = ;; empty list
> vfs objects = shadow_copy2 zfsacl full_audit
> Then if you (from a Windows machine) look at the file's Properties ->
> Security you will find that the Write access for the Group entry has
> been removed from the ACL list displayed (and Samba will give Windows
> users access errors when they try to write to that file).
> With a smb.conf file without a “vfs objects” line you will correctly
> get the right Write Access for the Group in the ACL.
> It feels like having any “vfs objects” config line removes some kind
> of default VFS module that does something that it should call instead
> of calling it last….
> - Peter
Would this be on a DC ?
If so, you are removing the default vfs objects. and this is a known
More information about the samba