[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
Sebastian Arcus
s.arcus at open-t.co.uk
Tue Jun 11 09:34:07 UTC 2019
I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from 4.x
(I'm afraid I'm not sure the exact earlier version) - and since then I
just haven't managed to pin down the file permissions and inheritance on
the shares as it's been constantly causing issues. This server is both a
file server and a AD DC.
The current problem I am facing is the permissions of the lock file
generated by Microsoft Access (.ldb). The Access database is on the
server share. When one Windows client opens it, the .ldb file is created
with group write permission (-rw-rw----). But when it is opened from
another Windows machine, the .ldb file is created with group read-only
permissions (-rw-r-----) - which locks other users out. There seems to
be a mask applied, but I have no idea where is it coming from. Both
client machines are Windows 7 - I just can't figure out the reason. It
used to work fine before the Samba upgrade. The wrong acl's for the .ldb
file look like this:
# file: praxis_be.ldb
# owner: HEBI\\user1
# group: HEBI\\domain\040users
user::rw-
user:root:rwx #effective:r--
group::rwx #effective:r--
group:HEBI\\domain\040users:rwx #effective:r--
group:HEBI\\domain\040computers:r-x #effective:r--
mask::r--
other::---
What I've tried:
1. I have set and reset the acl's on the Linux side for the share and
parent dir (the lock file is in the root of the network share) - and
made sure it doesn't have a mask:
# file: /srv/samba/praxis
# owner: root
# group: HEBI\\domain\040users
user::rwx
user:root:rwx
group::rwx
group:HEBI\\domain\040users:rwx
group:HEBI\\domain\040computers:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:HEBI\\domain\040users:rwx
default:group:HEBI\\domain\040computers:r-x
default:mask::rwx
default:other::---
2. I have set the "inherit acls = " and forced the masks in smb.conf:
[praxis]
path = /srv/samba/praxis
read only = No
create mask = 0660
directory mask = 0770
inherit acls = yes
What I can't understand is why is a mask applied when the .ldb file is
created - and why is it different between the two Windows 7 machines (if
it comes from the Windows side).
Any suggestions would be much appreciated.
More information about the samba
mailing list