[Samba] SAMBA AD VFS:Recycle bad permissions
Kacper Wirski
kacper.wirski at gmail.com
Mon Jun 10 09:23:49 UTC 2019
I had similiar issue on samba 4.8 domain member (new files with wrong
permissions), when I realised that You need to list all modules that You
wish to use in "vfs objects" every time , there is no inheritance from
global -> shares that is if You have e.g.
[global]
...
vfs object = acl_xattr
..
[some share]
...
vfs object = recycle
..
On samba DC "acl_xattr" is set by default, but setting vfs object in a
specific share might override it (If I'm mistaken please someone correct
me, but it seems to be the case).
It means that in fact there is no "acl_xattr" set for [some share], and
You have to change it to:
vfs object = acl_xattr recycle (list all modules explicitly)
In my case missing "acl_xattr" module was the reason for wrong file
permissions in specific shares. All shares that had no "vfs object" set
were working correctly, because they used settings form [global].
Regards,
Kacper
W dniu 10.06.2019 o 11:07, Tomáš Havlín via samba pisze:
> In the fact, I don't undestand. I have no problem with deleted files,
> and I have 700 on .deleted folder because I don't need to have users
> be able to open deleted folder with deleted files, it is only for me.
> If VFS:recycle is enabled, new created files on share folder (not
> .deleted folder, not deleted files) permission to this folder are
> limited by mask and owner is "root". Without VFS:recycle new created
> files have owner "user" and rights are fine. I tried to put
> recycle:directory_mode = 777 to smb.conf, but nothing changed.
>
> on XXX share
> getfacl vvv.txt
> # file: vvv.txt
> # owner: root
> # group: users
> user::rw-
> group::---
> group:users:rwx #effective:r--
> group:3000002:---
> mask::r--
> other::---
>
>
> on original share
> # getfacl aaa.txt
> # file: aaa.txt
> # owner: 3000000
> # group: users
> user::rwx
> user:root:rwx
> user:3000002:rwx
> user:3000004:rwx
> group::rwx
> group:users:rwx
> group:3000000:rwx
> group:3000002:rwx
> group:3000004:rwx
> mask::rwx
> other::---
>
> ------ Původní zpráva ------
> Od: "Rowland penny via samba" <samba at lists.samba.org>
> Komu: "sambalist" <samba at lists.samba.org>
> Odesláno: 10.06.2019 10:32:39
> Předmět: Re: [Samba] SAMBA AD VFS:Recycle bad permissions
>
>> On 10/06/2019 08:51, Tomáš Havlín wrote:
>>> Hello
>>> my smb.conf + working and no working ACL share folders
>>>
>>> [global]
>>> netbios name = FENIX
>>> realm = PFCZ.INTRA
>>> server role = active directory domain controller
>>> workgroup = PFCZ
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 10.254.254.1
>>>
>>> unix extensions = no
>>> wide links = yes
>>> follow symlinks = yes
>>> bind interfaces only = yes
>>> interfaces = lo eno1
>>> max log size = 150000
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/pfcz.intra/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> [share] - working VFS:recycle, original share
>>> path = /mnt/data1/share
>>> read only = no
>>>
>>> [XXX] - no working VFS:recycle, testing share
>>> path = /mnt/data1/XXX
>>> read only = no
>>> vfs object = recycle
>>> recycle:repository = .deleted
>>> recycle:keeptree = yes
>>> recycle:touch = yes
>>> recycle:version = yes
>>> recycle:maxsize = 0
>>> recycle:exclude = *.tmp
>>> recycle:exclude_dir = /tmp
>>>
>>>
>> It looks to me that the VFS changes have caused this.
>>
>> You are using a DC as a fileserver, this isn't recommended for a start.
>>
>> On a DC , 'vfs objects = acl_xattr' is set by default, this means
>> that 'inherit acls = yes' is set and you do not have a
>> 'recycle:directory_mode' line, so you will be using the default
>> '0700'. Put this all together and what you are getting is correct,
>> don't ask me why it worked before, but not now. It looks like it was
>> actually wrong before but correct now ;-)
>>
>> Rowland
>>
>>
>> -- To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus
More information about the samba
mailing list