[Samba] ACL inheritance not working as expected.

Rowland penny rpenny at samba.org
Tue Jan 7 22:33:21 UTC 2020 

On 07/01/2020 22:25, Carlos Jesus via samba wrote:
> Hello list!
> For some reason ACL inheritance is not working on my FS. Anytime anyone
> creates a folder/file under a share, the permissions are not inherited.
> My system is a 2DC + a FS running samba 4.10.10. Everything self compiled
> running on Debian Buster.
> Several shares were created according to
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> By adding the following lines to the [global] section I forced samba to
> inherit permissions, but I thought that this was deprecated and that map
> acl inherit was the only thing needed.
> inherit acls = yes
> inherit owner = yes
> inherit permissions = yes
>
> Any ideas?
>
> My smb.conf for the FS:
> [global]
>          security = ADS
>          workgroup = EUROHIDRA
>          realm = EUROHIDRA.LOCAL
>          netbios name = EHFS
>          interfaces = lo br0
>          bind interfaces only = yes
>          log file = /var/log/samba/%U.log
>          log level = 1
>          username map = /usr/local/samba/etc/user.map
>
>          local master = no
>          time server = no
>          wins support = no
>
>          idmap config EUROHIDRA : backend = ad
>          idmap config EUROHIDRA : range = 10000-999999
>          idmap config EUROHIDRA : schema_mode = rfc2307
>          idmap config EUROHIDRA : unix_nss_info = yes
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>
>          winbind use default domain = yes
> #       winbind enum groups = yes
> #       winbind enum users = yes
>          winbind nss info = template
>          template shell = /bin/bash
>          template homedir = /home/%U
>
>          vfs objects = acl_xattr
>          map acl inherit = yes
>
>          kerberos method = secrets and keytab
>          dedicated keytab file = /etc/krb5.keytab
>          winbind refresh tickets = Yes
>
> #only for ext4. remove for other FS's
>          strict allocate = yes
>
>          smbd profiling level 1
>          min receivefile size = 16384
>          use sendfile = yes
>          server min protocol = SMB2
>          write cache size = 65536
>
> #For 4 minutes to release lock (Outlook remember?)
> socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15
>
>          load printers = no
>          printcap name = /dev/null
>
> [Tecnico]
>          comment = Departamento Tecnico
>          writeable = yes
>          path = /mnt/disco2/Users/Tecnico
>          vfs objects = full_audit
>          full_audit:prefix = %u|%I
>          full_audit:failure = none
>          full_audit:success = mkdir rmdir pread pwrite unlink sendfile
> rename op$
>          full_audit:facility = LOCAL5
>          full_audit:priority = NOTICE

You have turned off ACLs on 'Tecnico' by adding 'vfs objects = 
full_audit' to the share, remove it and add 'full_audit' to the 'vfs 
objects' line in global, or add 'acl_xattr' to the 'vfs objects' line in 
the share.

Rowland

More information about the samba mailing list