[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
Rowland penny
rpenny at samba.org
Tue Jun 11 10:49:46 UTC 2019
On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>
> On 11/06/19 11:07, Rowland penny via samba wrote:
>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from
>>> 4.x (I'm afraid I'm not sure the exact earlier version) - and since
>>> then I just haven't managed to pin down the file permissions and
>>> inheritance on the shares as it's been constantly causing issues.
>>> This server is both a file server and a AD DC.
>>>
>>> The current problem I am facing is the permissions of the lock file
>>> generated by Microsoft Access (.ldb). The Access database is on the
>>> server share. When one Windows client opens it, the .ldb file is
>>> created with group write permission (-rw-rw----). But when it is
>>> opened from another Windows machine, the .ldb file is created with
>>> group read-only permissions (-rw-r-----) - which locks other users
>>> out. There seems to be a mask applied, but I have no idea where is
>>> it coming from. Both client machines are Windows 7 - I just can't
>>> figure out the reason. It used to work fine before the Samba
>>> upgrade. The wrong acl's for the .ldb file look like this:
>>>
>>> # file: praxis_be.ldb
>>> # owner: HEBI\\user1
>>> # group: HEBI\\domain\040users
>>> user::rw-
>>> user:root:rwx #effective:r--
>>> group::rwx #effective:r--
>>> group:HEBI\\domain\040users:rwx #effective:r--
>>> group:HEBI\\domain\040computers:r-x #effective:r--
>>> mask::r--
>>> other::---
>>>
>>>
>>> What I've tried:
>>>
>>> 1. I have set and reset the acl's on the Linux side for the share
>>> and parent dir (the lock file is in the root of the network share) -
>>> and made sure it doesn't have a mask:
>>
>> You should stop doing this, as it is a DC, you need to set the
>> permissions from Windows, see here:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Thank you for the quick answer. I should have mentioned that I tried
> that as well. Could you confirm if "inherit acls" and "create mask"
> and "directory mask" should still apply to Samba in AD mode any more -
> or not?
>
>
Your share on the DC should only be this:
[praxis]
path = /srv/samba/praxis
read only = No
You shouldn't add anything else, it has always been this way on a DC.
I think it might help if you posted the global part of the smb.conf
Rowland
More information about the samba
mailing list