[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade

Rowland penny rpenny at samba.org
Tue Jun 11 12:29:22 UTC 2019 

On 11/06/2019 13:13, Sebastian Arcus via samba wrote:
>
> On 11/06/19 11:49, Rowland penny via samba wrote:
>> On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>>>
>>> On 11/06/19 11:07, Rowland penny via samba wrote:
>>>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>>>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago 
>>>>> from 4.x (I'm afraid I'm not sure the exact earlier version) - and 
>>>>> since then I just haven't managed to pin down the file permissions 
>>>>> and inheritance on the shares as it's been constantly causing 
>>>>> issues. This server is both a file server and a AD DC.
>>>>>
>>>>> The current problem I am facing is the permissions of the lock 
>>>>> file generated by Microsoft Access (.ldb). The Access database is 
>>>>> on the server share. When one Windows client opens it, the .ldb 
>>>>> file is created with group write permission (-rw-rw----). But when 
>>>>> it is opened from another Windows machine, the .ldb file is 
>>>>> created with group read-only permissions (-rw-r-----) - which 
>>>>> locks other users out. There seems to be a mask applied, but I 
>>>>> have no idea where is it coming from. Both client machines are 
>>>>> Windows 7 - I just can't figure out the reason. It used to work 
>>>>> fine before the Samba upgrade. The wrong acl's for the .ldb file 
>>>>> look like this:
>>>>>
>>>>> # file: praxis_be.ldb
>>>>> # owner: HEBI\\user1
>>>>> # group: HEBI\\domain\040users
>>>>> user::rw-
>>>>> user:root:rwx            #effective:r--
>>>>> group::rwx            #effective:r--
>>>>> group:HEBI\\domain\040users:rwx    #effective:r--
>>>>> group:HEBI\\domain\040computers:r-x    #effective:r--
>>>>> mask::r--
>>>>> other::---
>>>>>
>>>>>
>>>>> What I've tried:
>>>>>
>>>>> 1. I have set and reset the acl's on the Linux side for the share 
>>>>> and parent dir (the lock file is in the root of the network share) 
>>>>> - and made sure it doesn't have a mask:
>>>>
>>>> You should stop doing this, as it is a DC, you need to set the 
>>>> permissions from Windows, see here:
>>>>
>>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>> Thank you for the quick answer. I should have mentioned that I tried 
>>> that as well. Could you confirm if "inherit acls" and "create mask" 
>>> and "directory mask" should still apply to Samba in AD mode any more 
>>> - or not?
>>>
>>>
>> Your share on the DC should only be this:
>>
>> [praxis]
>> path = /srv/samba/praxis
>> read only = No
>>
>> You shouldn't add anything else, it has always been this way on a DC.
>
> Yes - that's what I read in the docs - and that's what I started with. 
> But that's when I don't get the expected ACL inheritance. I just 
> trimmed the share definition down again to the above, and when I 
> created a dir, the mask kicks in again:
>
> # file: test3
> # owner: root
> # group: HEBI\\domain\040users
> # flags: -s-
> user::rwx
> user:root:rwx            #effective:r-x
> user:3000017:r-x
> group::rwx            #effective:r-x
> group:HEBI\\domain\040users:rwx    #effective:r-x
> group:HEBI\\domain\040computers:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000017:r-x
> default:group::rwx
> default:group:HEBI\\domain\040users:rwx
> default:group:HEBI\\domain\040computers:r-x
> default:mask::rwx
> default:other::---
>
>
> Is the mask coming from the local Linux filesystem umask? If yes, 
> shouldn't the ACL's supersede it?
>
>> I think it might help if you posted the global part of the smb.conf
>
> Sure:
>
>
> [global]
> bind interfaces only = Yes
> interfaces = lo eth1 tun0 tun1
> netbios name = HEBI-SERVER
> realm = HEBI.LAN
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = HEBI
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> comment =
>
> log file = /var/log/samba/%m.log
> max log size = 1000
>
> mangling method = hash2
> mangle prefix = 6
> reset on zero vc = yes
> deadtime = 10
>
>
> load printers = yes
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
>
Would it help if I told you that you are reading the wrong permissions ?

They are stored in an extended attr:

root at dc4:~# getfattr -n security.NTACL -d /srv/samba/Demo/
getfattr: Removing leading '/' from absolute path names
# file: srv/samba/Demo/
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAScZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P/QBAAABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAgCMAAUAAAAACxQAqQASAAEBAAAAAAABAAAAAAALFAD/AR8AAQEAAAAAAAMAAAAAAAsUAKkAEgABAQAAAAAAAwEAAAAAAyQAvwESAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5PwECAAAAAyQA/wEfAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAA=

Not very readable, but:

root at dc4:~# samba-tool ntacl get /srv/samba/Demo --as-sddl
O:LAG:S-1-5-21-1768301897-3342589593-1064908849-2122D:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-2122)(A;;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-2122)(A;;0x001f01ff;;;LA)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)

Rowland

More information about the samba mailing list