[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade

Rowland penny rpenny at samba.org
Tue Jun 11 10:07:44 UTC 2019 

On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from 
> 4.x (I'm afraid I'm not sure the exact earlier version) - and since 
> then I just haven't managed to pin down the file permissions and 
> inheritance on the shares as it's been constantly causing issues. This 
> server is both a file server and a AD DC.
>
> The current problem I am facing is the permissions of the lock file 
> generated by Microsoft Access (.ldb). The Access database is on the 
> server share. When one Windows client opens it, the .ldb file is 
> created with group write permission (-rw-rw----). But when it is 
> opened from another Windows machine, the .ldb file is created with 
> group read-only permissions (-rw-r-----) - which locks other users 
> out. There seems to be a mask applied, but I have no idea where is it 
> coming from. Both client machines are Windows 7 - I just can't figure 
> out the reason. It used to work fine before the Samba upgrade. The 
> wrong acl's for the .ldb file look like this:
>
> # file: praxis_be.ldb
> # owner: HEBI\\user1
> # group: HEBI\\domain\040users
> user::rw-
> user:root:rwx            #effective:r--
> group::rwx            #effective:r--
> group:HEBI\\domain\040users:rwx    #effective:r--
> group:HEBI\\domain\040computers:r-x    #effective:r--
> mask::r--
> other::---
>
>
> What I've tried:
>
> 1. I have set and reset the acl's on the Linux side for the share and 
> parent dir (the lock file is in the root of the network share) - and 
> made sure it doesn't have a mask:

You should stop doing this, as it is a DC, you need to set the 
permissions from Windows, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

>
>
> 2. I have set the "inherit acls = " and forced the masks in smb.conf:
>
> [praxis]
> path = /srv/samba/praxis
> read only = No
> create mask = 0660
> directory mask = 0770
> inherit acls = yes
You cannot use those lines on a DC.
>
>
> What I can't understand is why is a mask applied when the .ldb file is 
> created - and why is it different between the two Windows 7 machines 
> (if it comes from the Windows side).

Probably because you are doing it wrong ;-)

Rowland

More information about the samba mailing list