[Samba] SAMBA AD VFS:Recycle bad permissions

Tomáš Havlín thavlin at spel.cz
Mon Jun 10 09:39:41 UTC 2019 

bingo,
dont tell me that there wanst inheriantce from global VFS to share 
before, but I put acl_xattr to vfs object after recycle and it looks to 
be working now, let me do more tests.

bB

------ Původní zpráva ------
Od: "Kacper Wirski via samba" <samba at lists.samba.org>
Komu: samba at lists.samba.org
Odesláno: 10.06.2019 11:23:49
Předmět: Re: [Samba] SAMBA AD VFS:Recycle bad permissions

>I had similiar issue on samba 4.8 domain member (new files with wrong permissions), when I realised that You need to list all modules that You wish to use in "vfs objects" every time , there is no inheritance from global -> shares that is if You have e.g.
>
>[global]
>
>...
>
>vfs object = acl_xattr
>
>..
>
>[some share]
>
>...
>
>vfs object = recycle
>
>..
>
>
>On samba DC "acl_xattr" is set by default, but setting vfs object in a specific share might override it (If I'm mistaken please someone correct me, but it seems to be the case).
>
>It means that in fact there is no "acl_xattr" set for [some share], and You have to change it to:
>
>vfs object = acl_xattr recycle (list all modules explicitly)
>
>In my case missing "acl_xattr" module was the reason for wrong file permissions in specific shares. All shares that had no "vfs object" set were working correctly, because they used settings form [global].
>
>Regards,
>
>Kacper
>
>
>W dniu 10.06.2019 o 11:07, Tomáš Havlín via samba pisze:
>>In the fact, I don't undestand. I have no problem with deleted files, and I have 700 on .deleted folder because I don't need to have users be able to open deleted folder with deleted files, it is only for me. If VFS:recycle is enabled, new created files on share folder (not .deleted folder, not deleted files) permission to this folder are limited by mask and owner is "root". Without VFS:recycle new created files have owner "user" and rights are fine. I tried to put recycle:directory_mode = 777 to smb.conf, but nothing changed.
>>
>>on XXX share
>>getfacl vvv.txt
>># file: vvv.txt
>># owner: root
>># group: users
>>user::rw-
>>group::---
>>group:users:rwx #effective:r--
>>group:3000002:---
>>mask::r--
>>other::---
>>
>>
>>on original share
>># getfacl aaa.txt
>># file: aaa.txt
>># owner: 3000000
>># group: users
>>user::rwx
>>user:root:rwx
>>user:3000002:rwx
>>user:3000004:rwx
>>group::rwx
>>group:users:rwx
>>group:3000000:rwx
>>group:3000002:rwx
>>group:3000004:rwx
>>mask::rwx
>>other::---
>>
>>------ Původní zpráva ------
>>Od: "Rowland penny via samba" <samba at lists.samba.org>
>>Komu: "sambalist" <samba at lists.samba.org>
>>Odesláno: 10.06.2019 10:32:39
>>Předmět: Re: [Samba] SAMBA AD VFS:Recycle bad permissions
>>
>>>On 10/06/2019 08:51, Tomáš Havlín wrote:
>>>>Hello
>>>>my smb.conf + working and no working ACL share folders
>>>>
>>>>[global]
>>>>netbios name = FENIX
>>>>realm = PFCZ.INTRA
>>>>server role = active directory domain controller
>>>>workgroup = PFCZ
>>>>idmap_ldb:use rfc2307 = yes
>>>>dns forwarder = 10.254.254.1
>>>>
>>>>unix extensions = no
>>>>wide links = yes
>>>>follow symlinks = yes
>>>>bind interfaces only = yes
>>>>interfaces = lo eno1
>>>>max log size = 150000
>>>>
>>>>[netlogon]
>>>>path = /var/lib/samba/sysvol/pfcz.intra/scripts
>>>>read only = No
>>>>
>>>>[sysvol]
>>>>path = /var/lib/samba/sysvol
>>>>read only = No
>>>>
>>>>[share] - working VFS:recycle, original share
>>>>     path = /mnt/data1/share
>>>>     read only = no
>>>>
>>>>[XXX] - no working VFS:recycle, testing share
>>>>     path = /mnt/data1/XXX
>>>>     read only = no
>>>>     vfs object = recycle
>>>>     recycle:repository = .deleted
>>>>     recycle:keeptree = yes
>>>>     recycle:touch = yes
>>>>     recycle:version = yes
>>>>     recycle:maxsize = 0
>>>>     recycle:exclude = *.tmp
>>>>     recycle:exclude_dir = /tmp
>>>>
>>>>
>>>It looks to me that the VFS changes have caused this.
>>>
>>>You are using a DC as a fileserver, this isn't recommended for a start.
>>>
>>>On a DC , 'vfs objects = acl_xattr' is set by default, this means that 'inherit acls = yes' is set and you do not have a 'recycle:directory_mode' line, so you will be using the default '0700'. Put this all together and what you are getting is correct, don't ask me why it worked before, but not now. It looks like it was actually wrong before but correct now ;-)
>>>
>>>Rowland
>>>
>>>
>>>-- To unsubscribe from this list go to the following URL and read the
>>>instructions:  https://lists.samba.org/mailman/options/samba
>
>---
>Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
>https://www.avast.com/antivirus
>
>
>-- To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list