[Samba] SAMBA AD VFS:Recycle bad permissions

Kacper Wirski kacper.wirski at gmail.com
Mon Jun 10 09:23:49 UTC 2019 

I had similiar issue on samba 4.8 domain member (new files with wrong 
permissions), when I realised that You need to list all modules that You 
wish to use in "vfs objects" every time , there is no inheritance from 
global -> shares that is if You have e.g.

[global]

...

vfs object = acl_xattr

..

[some share]

...

vfs object = recycle

..


On samba DC "acl_xattr" is set by default, but setting vfs object in a 
specific share might override it (If I'm mistaken please someone correct 
me, but it seems to be the case).

It means that in fact there is no "acl_xattr" set for [some share], and 
You have to change it to:

vfs object = acl_xattr recycle (list all modules explicitly)

In my case missing "acl_xattr" module was the reason for wrong file 
permissions in specific shares. All shares that had no "vfs object" set 
were working correctly, because they used settings form [global].

Regards,

Kacper


W dniu 10.06.2019 o 11:07, Tomáš Havlín via samba pisze:
> In the fact, I don't undestand. I have no problem with deleted files, 
> and I have 700 on .deleted folder because I don't need to have users 
> be able to open deleted folder with deleted files, it is only for me. 
> If VFS:recycle is enabled, new created files on share folder (not 
> .deleted folder, not deleted files) permission to this folder are 
> limited by mask and owner is "root". Without VFS:recycle new created 
> files have owner "user" and rights are fine. I tried to put 
> recycle:directory_mode = 777 to smb.conf, but nothing changed.
>
> on XXX share
> getfacl vvv.txt
> # file: vvv.txt
> # owner: root
> # group: users
> user::rw-
> group::---
> group:users:rwx #effective:r--
> group:3000002:---
> mask::r--
> other::---
>
>
> on original share
> # getfacl aaa.txt
> # file: aaa.txt
> # owner: 3000000
> # group: users
> user::rwx
> user:root:rwx
> user:3000002:rwx
> user:3000004:rwx
> group::rwx
> group:users:rwx
> group:3000000:rwx
> group:3000002:rwx
> group:3000004:rwx
> mask::rwx
> other::---
>
> ------ Původní zpráva ------
> Od: "Rowland penny via samba" <samba at lists.samba.org>
> Komu: "sambalist" <samba at lists.samba.org>
> Odesláno: 10.06.2019 10:32:39
> Předmět: Re: [Samba] SAMBA AD VFS:Recycle bad permissions
>
>> On 10/06/2019 08:51, Tomáš Havlín wrote:
>>> Hello
>>> my smb.conf + working and no working ACL share folders
>>>
>>> [global]
>>> netbios name = FENIX
>>> realm = PFCZ.INTRA
>>> server role = active directory domain controller
>>> workgroup = PFCZ
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 10.254.254.1
>>>
>>> unix extensions = no
>>> wide links = yes
>>> follow symlinks = yes
>>> bind interfaces only = yes
>>> interfaces = lo eno1
>>> max log size = 150000
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/pfcz.intra/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> [share] - working VFS:recycle, original share
>>>     path = /mnt/data1/share
>>>     read only = no
>>>
>>> [XXX] - no working VFS:recycle, testing share
>>>     path = /mnt/data1/XXX
>>>     read only = no
>>>     vfs object = recycle
>>>     recycle:repository = .deleted
>>>     recycle:keeptree = yes
>>>     recycle:touch = yes
>>>     recycle:version = yes
>>>     recycle:maxsize = 0
>>>     recycle:exclude = *.tmp
>>>     recycle:exclude_dir = /tmp
>>>
>>>
>> It looks to me that the VFS changes have caused this.
>>
>> You are using a DC as a fileserver, this isn't recommended for a start.
>>
>> On a DC , 'vfs objects = acl_xattr' is set by default, this means 
>> that 'inherit acls = yes' is set and you do not have a 
>> 'recycle:directory_mode' line, so you will be using the default 
>> '0700'. Put this all together and what you are getting is correct, 
>> don't ask me why it worked before, but not now. It looks like it was 
>> actually wrong before but correct now ;-)
>>
>> Rowland
>>
>>
>> -- To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

More information about the samba mailing list