[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
Sebastian Arcus
s.arcus at open-t.co.uk
Tue Jun 11 15:44:23 UTC 2019
On 11/06/19 14:54, Sebastian Arcus via samba wrote:
>
> On 11/06/19 13:29, Rowland penny via samba wrote:
>> On 11/06/2019 13:13, Sebastian Arcus via samba wrote:
>>>
>>> On 11/06/19 11:49, Rowland penny via samba wrote:
>>>> On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>>>>>
>>>>> On 11/06/19 11:07, Rowland penny via samba wrote:
>>>>>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>>>>>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago
>>>>>>> from 4.x (I'm afraid I'm not sure the exact earlier version) -
>>>>>>> and since then I just haven't managed to pin down the file
>>>>>>> permissions and inheritance on the shares as it's been constantly
>>>>>>> causing issues. This server is both a file server and a AD DC.
>>>>>>>
>>>>>>> The current problem I am facing is the permissions of the lock
>>>>>>> file generated by Microsoft Access (.ldb). The Access database is
>>>>>>> on the server share. When one Windows client opens it, the .ldb
>>>>>>> file is created with group write permission (-rw-rw----). But
>>>>>>> when it is opened from another Windows machine, the .ldb file is
>>>>>>> created with group read-only permissions (-rw-r-----) - which
>>>>>>> locks other users out. There seems to be a mask applied, but I
>>>>>>> have no idea where is it coming from. Both client machines are
>>>>>>> Windows 7 - I just can't figure out the reason. It used to work
>>>>>>> fine before the Samba upgrade. The wrong acl's for the .ldb file
>>>>>>> look like this:
>>>>>>>
>>>>>>> # file: praxis_be.ldb
>>>>>>> # owner: HEBI\\user1
>>>>>>> # group: HEBI\\domain\040users
>>>>>>> user::rw-
>>>>>>> user:root:rwx #effective:r--
>>>>>>> group::rwx #effective:r--
>>>>>>> group:HEBI\\domain\040users:rwx #effective:r--
>>>>>>> group:HEBI\\domain\040computers:r-x #effective:r--
>>>>>>> mask::r--
>>>>>>> other::---
>>>>>>>
>>>>>>>
>>>>>>> What I've tried:
>>>>>>>
>>>>>>> 1. I have set and reset the acl's on the Linux side for the share
>>>>>>> and parent dir (the lock file is in the root of the network
>>>>>>> share) - and made sure it doesn't have a mask:
>>>>>>
>>>>>> You should stop doing this, as it is a DC, you need to set the
>>>>>> permissions from Windows, see here:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>>>>
>>>>>
>>>>> Thank you for the quick answer. I should have mentioned that I
>>>>> tried that as well. Could you confirm if "inherit acls" and "create
>>>>> mask" and "directory mask" should still apply to Samba in AD mode
>>>>> any more - or not?
>>>>>
>>>>>
>>>> Your share on the DC should only be this:
>>>>
>>>> [praxis]
>>>> path = /srv/samba/praxis
>>>> read only = No
>>>>
>>>> You shouldn't add anything else, it has always been this way on a DC.
>>>
>>> Yes - that's what I read in the docs - and that's what I started
>>> with. But that's when I don't get the expected ACL inheritance. I
>>> just trimmed the share definition down again to the above, and when I
>>> created a dir, the mask kicks in again:
>>>
>>> # file: test3
>>> # owner: root
>>> # group: HEBI\\domain\040users
>>> # flags: -s-
>>> user::rwx
>>> user:root:rwx #effective:r-x
>>> user:3000017:r-x
>>> group::rwx #effective:r-x
>>> group:HEBI\\domain\040users:rwx #effective:r-x
>>> group:HEBI\\domain\040computers:r-x
>>> mask::r-x
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:3000017:r-x
>>> default:group::rwx
>>> default:group:HEBI\\domain\040users:rwx
>>> default:group:HEBI\\domain\040computers:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>>
>>> Is the mask coming from the local Linux filesystem umask? If yes,
>>> shouldn't the ACL's supersede it?
>>>
>>>> I think it might help if you posted the global part of the smb.conf
>>>
>>> Sure:
>>>
>>>
>>> [global]
>>> bind interfaces only = Yes
>>> interfaces = lo eth1 tun0 tun1
>>> netbios name = HEBI-SERVER
>>> realm = HEBI.LAN
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbindd, ntp_signd, kcc, dnsupdate
>>> workgroup = HEBI
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> comment =
>>>
>>> log file = /var/log/samba/%m.log
>>> max log size = 1000
>>>
>>> mangling method = hash2
>>> mangle prefix = 6
>>> reset on zero vc = yes
>>> deadtime = 10
>>>
>>>
>>> load printers = yes
>>> rpc_server:spoolss = external
>>> rpc_daemon:spoolssd = fork
>>>
>> Would it help if I told you that you are reading the wrong permissions ?
>
> That kind of helps, in the sense that I never realised that there are
> two sets of ACL's stored in two different places. I have just re-read
> for the n-th time the
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> and I'm still trying to get my head around it. I guess that means the
> real permissions (seen on the Windows side) are made up of Linux ACL's
> *plus* the extended attributes stored by Samba elsewhere?
>
> Also, it doesn't quite solve the problem, as the "Domain Users" still
> gets no permissions whatsoever when creating new dirs, in spite of the
> fact that the parent dir has full permissions for "Domain Users" (on the
> Windows side).
Ok - I might have at least a partial answer. Somehow the default mask in
Samba still seems to be obeyed - even in AD mode. It seems to lack by
default the 'write' bit - which gets removed from the permissions when
creating a new directory. Without any additional share settings in
smb.conf, a new subdirectory gets created with the following two sets of
permissions, no matter what I try:
"Domain users" - Traverse, Read attributes, Read extended attributes -
This folder only
"Domain users" - Full Control - Subfolders and files only
If I add the following settings in smb.conf for the share:
create mask = 0660
directory mask = 0770
Then finally the Windows permissions for a new subdirectory are as
expected - just one set for "Domain Users":
"Domain Users" - Full Control - This folder, subfolders and files
It seems the the Samba default umask limits the ACL permissions it
grants on the Windows side to new files and folders. Could this be a bug
- as it doesn't seem to be mentioned anywhere in the docs?
More information about the samba
mailing list