[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
Sebastian Arcus
s.arcus at open-t.co.uk
Tue Jun 11 12:13:38 UTC 2019
On 11/06/19 11:49, Rowland penny via samba wrote:
> On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>>
>> On 11/06/19 11:07, Rowland penny via samba wrote:
>>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from
>>>> 4.x (I'm afraid I'm not sure the exact earlier version) - and since
>>>> then I just haven't managed to pin down the file permissions and
>>>> inheritance on the shares as it's been constantly causing issues.
>>>> This server is both a file server and a AD DC.
>>>>
>>>> The current problem I am facing is the permissions of the lock file
>>>> generated by Microsoft Access (.ldb). The Access database is on the
>>>> server share. When one Windows client opens it, the .ldb file is
>>>> created with group write permission (-rw-rw----). But when it is
>>>> opened from another Windows machine, the .ldb file is created with
>>>> group read-only permissions (-rw-r-----) - which locks other users
>>>> out. There seems to be a mask applied, but I have no idea where is
>>>> it coming from. Both client machines are Windows 7 - I just can't
>>>> figure out the reason. It used to work fine before the Samba
>>>> upgrade. The wrong acl's for the .ldb file look like this:
>>>>
>>>> # file: praxis_be.ldb
>>>> # owner: HEBI\\user1
>>>> # group: HEBI\\domain\040users
>>>> user::rw-
>>>> user:root:rwx #effective:r--
>>>> group::rwx #effective:r--
>>>> group:HEBI\\domain\040users:rwx #effective:r--
>>>> group:HEBI\\domain\040computers:r-x #effective:r--
>>>> mask::r--
>>>> other::---
>>>>
>>>>
>>>> What I've tried:
>>>>
>>>> 1. I have set and reset the acl's on the Linux side for the share
>>>> and parent dir (the lock file is in the root of the network share) -
>>>> and made sure it doesn't have a mask:
>>>
>>> You should stop doing this, as it is a DC, you need to set the
>>> permissions from Windows, see here:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> Thank you for the quick answer. I should have mentioned that I tried
>> that as well. Could you confirm if "inherit acls" and "create mask"
>> and "directory mask" should still apply to Samba in AD mode any more -
>> or not?
>>
>>
> Your share on the DC should only be this:
>
> [praxis]
> path = /srv/samba/praxis
> read only = No
>
> You shouldn't add anything else, it has always been this way on a DC.
Yes - that's what I read in the docs - and that's what I started with.
But that's when I don't get the expected ACL inheritance. I just trimmed
the share definition down again to the above, and when I created a dir,
the mask kicks in again:
# file: test3
# owner: root
# group: HEBI\\domain\040users
# flags: -s-
user::rwx
user:root:rwx #effective:r-x
user:3000017:r-x
group::rwx #effective:r-x
group:HEBI\\domain\040users:rwx #effective:r-x
group:HEBI\\domain\040computers:r-x
mask::r-x
other::---
default:user::rwx
default:user:root:rwx
default:user:3000017:r-x
default:group::rwx
default:group:HEBI\\domain\040users:rwx
default:group:HEBI\\domain\040computers:r-x
default:mask::rwx
default:other::---
Is the mask coming from the local Linux filesystem umask? If yes,
shouldn't the ACL's supersede it?
> I think it might help if you posted the global part of the smb.conf
Sure:
[global]
bind interfaces only = Yes
interfaces = lo eth1 tun0 tun1
netbios name = HEBI-SERVER
realm = HEBI.LAN
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = HEBI
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
comment =
log file = /var/log/samba/%m.log
max log size = 1000
mangling method = hash2
mangle prefix = 6
reset on zero vc = yes
deadtime = 10
load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
More information about the samba
mailing list