[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
Sebastian Arcus
s.arcus at open-t.co.uk
Tue Jun 11 13:54:06 UTC 2019
On 11/06/19 13:29, Rowland penny via samba wrote:
> On 11/06/2019 13:13, Sebastian Arcus via samba wrote:
>>
>> On 11/06/19 11:49, Rowland penny via samba wrote:
>>> On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>>>>
>>>> On 11/06/19 11:07, Rowland penny via samba wrote:
>>>>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>>>>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago
>>>>>> from 4.x (I'm afraid I'm not sure the exact earlier version) - and
>>>>>> since then I just haven't managed to pin down the file permissions
>>>>>> and inheritance on the shares as it's been constantly causing
>>>>>> issues. This server is both a file server and a AD DC.
>>>>>>
>>>>>> The current problem I am facing is the permissions of the lock
>>>>>> file generated by Microsoft Access (.ldb). The Access database is
>>>>>> on the server share. When one Windows client opens it, the .ldb
>>>>>> file is created with group write permission (-rw-rw----). But when
>>>>>> it is opened from another Windows machine, the .ldb file is
>>>>>> created with group read-only permissions (-rw-r-----) - which
>>>>>> locks other users out. There seems to be a mask applied, but I
>>>>>> have no idea where is it coming from. Both client machines are
>>>>>> Windows 7 - I just can't figure out the reason. It used to work
>>>>>> fine before the Samba upgrade. The wrong acl's for the .ldb file
>>>>>> look like this:
>>>>>>
>>>>>> # file: praxis_be.ldb
>>>>>> # owner: HEBI\\user1
>>>>>> # group: HEBI\\domain\040users
>>>>>> user::rw-
>>>>>> user:root:rwx #effective:r--
>>>>>> group::rwx #effective:r--
>>>>>> group:HEBI\\domain\040users:rwx #effective:r--
>>>>>> group:HEBI\\domain\040computers:r-x #effective:r--
>>>>>> mask::r--
>>>>>> other::---
>>>>>>
>>>>>>
>>>>>> What I've tried:
>>>>>>
>>>>>> 1. I have set and reset the acl's on the Linux side for the share
>>>>>> and parent dir (the lock file is in the root of the network share)
>>>>>> - and made sure it doesn't have a mask:
>>>>>
>>>>> You should stop doing this, as it is a DC, you need to set the
>>>>> permissions from Windows, see here:
>>>>>
>>>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>>
>>>> Thank you for the quick answer. I should have mentioned that I tried
>>>> that as well. Could you confirm if "inherit acls" and "create mask"
>>>> and "directory mask" should still apply to Samba in AD mode any more
>>>> - or not?
>>>>
>>>>
>>> Your share on the DC should only be this:
>>>
>>> [praxis]
>>> path = /srv/samba/praxis
>>> read only = No
>>>
>>> You shouldn't add anything else, it has always been this way on a DC.
>>
>> Yes - that's what I read in the docs - and that's what I started with.
>> But that's when I don't get the expected ACL inheritance. I just
>> trimmed the share definition down again to the above, and when I
>> created a dir, the mask kicks in again:
>>
>> # file: test3
>> # owner: root
>> # group: HEBI\\domain\040users
>> # flags: -s-
>> user::rwx
>> user:root:rwx #effective:r-x
>> user:3000017:r-x
>> group::rwx #effective:r-x
>> group:HEBI\\domain\040users:rwx #effective:r-x
>> group:HEBI\\domain\040computers:r-x
>> mask::r-x
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000017:r-x
>> default:group::rwx
>> default:group:HEBI\\domain\040users:rwx
>> default:group:HEBI\\domain\040computers:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> Is the mask coming from the local Linux filesystem umask? If yes,
>> shouldn't the ACL's supersede it?
>>
>>> I think it might help if you posted the global part of the smb.conf
>>
>> Sure:
>>
>>
>> [global]
>> bind interfaces only = Yes
>> interfaces = lo eth1 tun0 tun1
>> netbios name = HEBI-SERVER
>> realm = HEBI.LAN
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> workgroup = HEBI
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> comment =
>>
>> log file = /var/log/samba/%m.log
>> max log size = 1000
>>
>> mangling method = hash2
>> mangle prefix = 6
>> reset on zero vc = yes
>> deadtime = 10
>>
>>
>> load printers = yes
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>>
> Would it help if I told you that you are reading the wrong permissions ?
That kind of helps, in the sense that I never realised that there are
two sets of ACL's stored in two different places. I have just re-read
for the n-th time the
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
and I'm still trying to get my head around it. I guess that means the
real permissions (seen on the Windows side) are made up of Linux ACL's
*plus* the extended attributes stored by Samba elsewhere?
Also, it doesn't quite solve the problem, as the "Domain Users" still
gets no permissions whatsoever when creating new dirs, in spite of the
fact that the parent dir has full permissions for "Domain Users" (on the
Windows side).
More information about the samba
mailing list