[Samba] AD Member Server and 'vfs objects recycle' permission problems
Christoph Fuhs
Fuhs at tak.de
Wed Oct 23 08:55:48 UTC 2019
Hi,
on our samba 4 domain member server we use the vfs objects module
'recycle'.
Unfortunately we ran into a strange permission problem with deleted
folders.
The newly created folders in the recycle folder have the wrong
permission. The deleted file(s) itself has the correct group (rw)
permissions.
The shares correct permissions:
getfacl Papierkorb/
# file: Papierkorb/
# owner: root
# group: somedom\\domain\040users
user::rwx
user:root:rwx
group::rwx
group:somedom\\domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:somedom\\domain\040users:rwx
default:mask::rwx
default:other::---
The subfolder that 'vfs modules' created in the recycle share:
/srv/www/htdocs/Papierkorb # ll
insgesamt 0
drwxr-x---+ 1 somedom\fuhs somedom\domain users 16 22. Okt 11:39
deleteme
getfacl deleteme/
# file: deleteme/
# owner: somedom\\fuhs
# group: somedom\\domain\040users
user::rwx
user:root:rwx #effective:r-x
group::---
group:somedom\\domain\040users:rwx #effective:r-x
mask::r-x
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:somedom\\domain\040users:rwx
default:mask::rwx
default:other::---
The problem here is the 'mask::r-x'. This steals the 'w' flag from
default:group:somedom\\domain\040users:rwx
Therefore a new deleted file from another user of the group Domain
Users, can't be created in the recycle share.
Every try to manipulate the mask with recycle:directory_mode = 0777 and
recycle:subdir_mode = 0777 has no effect.
We tried different inherit settings:
inherit acls = Yes
inherit owner = Yes
inherit permissions = Yes
Samba Version: 4.9.5-git.187.71edee57d5alp151.2.6.1-SUSE-oS15.0-x86_64
smb.conf
[global]
security = ADS
workgroup = somedom
realm = somedom.NET
usershare path =
idmap config * : backend = tdb
idmap config * : range = 100000-999999
idmap config somedom:backend = ad
idmap config somedom:schema_mode = rfc2307
idmap config somedom:range = 500-99999
idmap config somedom:unix_nss_info = yes
map acl inherit = yes
store dos attributes = yes
# Template settings for login shell and home directory
template shell = /bin/bash
username map = /etc/samba/user.map
winbind enum users = yes
winbind enum groups = yes
acl allow execute always = True
# cups abstellen
printing = bsd
load printers = no
printcap name = /dev/null
disable spoolss = yes
show add printer wizard = no
log level = 1
[test]
vfs objects = acl_xattr recycle
comment = Test share
path = /srv/www/htdocs/testshare
read only = No
# Audit und Papierkorb
recycle:repository = /srv/www/htdocs/Papierkorb
recycle:keeptree = Yes
recycle:subdir_mode = 0777
recycle:directory_mode = 0777
# test with 2777
#recycle:subdir_mode = 2777
#recycle:directory_mode = 2777
[Papierkorb]
vfs objects = acl_xattr
comment = Papierkorb Serververzeichnisse
path = /srv/www/htdocs/Papierkorb
guest ok = No
read only = No
browsable = Yes
Any help would be appreciated.
Chris
More information about the samba
mailing list