[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade

Sebastian Arcus s.arcus at open-t.co.uk
Tue Jun 11 10:38:44 UTC 2019

On 11/06/19 11:07, Rowland penny via samba wrote:
> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from 
>> 4.x (I'm afraid I'm not sure the exact earlier version) - and since 
>> then I just haven't managed to pin down the file permissions and 
>> inheritance on the shares as it's been constantly causing issues. This 
>> server is both a file server and a AD DC.
>> The current problem I am facing is the permissions of the lock file 
>> generated by Microsoft Access (.ldb). The Access database is on the 
>> server share. When one Windows client opens it, the .ldb file is 
>> created with group write permission (-rw-rw----). But when it is 
>> opened from another Windows machine, the .ldb file is created with 
>> group read-only permissions (-rw-r-----) - which locks other users 
>> out. There seems to be a mask applied, but I have no idea where is it 
>> coming from. Both client machines are Windows 7 - I just can't figure 
>> out the reason. It used to work fine before the Samba upgrade. The 
>> wrong acl's for the .ldb file look like this:
>> # file: praxis_be.ldb
>> # owner: HEBI\\user1
>> # group: HEBI\\domain\040users
>> user::rw-
>> user:root:rwx            #effective:r--
>> group::rwx            #effective:r--
>> group:HEBI\\domain\040users:rwx    #effective:r--
>> group:HEBI\\domain\040computers:r-x    #effective:r--
>> mask::r--
>> other::---
>> What I've tried:
>> 1. I have set and reset the acl's on the Linux side for the share and 
>> parent dir (the lock file is in the root of the network share) - and 
>> made sure it doesn't have a mask:
> You should stop doing this, as it is a DC, you need to set the 
> permissions from Windows, see here:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Thank you for the quick answer. I should have mentioned that I tried 
that as well. Could you confirm if "inherit acls" and "create mask" and 
"directory mask" should still apply to Samba in AD mode any more - or not?

More information about the samba mailing list