[Samba] Cannot delete (empty) folder from Mac client

[Andrea Venturoli]

Hello.

A Mac client of mine has a problem deleting an empty folder from the 
root of a Samba 4.12 server share, reporting a permission issue; 
however, the more I look at it, the more I am convinced it should be 
able to delete it.

smb.conf:
> [global]
>         workgroup=XXXXXXXX
>         realm=XXXXXXXX.local
>         interfaces=em0
>         hosts allow=192.168.XXX. 10.0.XXX.2 10.1.XXX. 10.2.XXX.
>         security=ADS
>         map archive=No
>         kerberos method = secrets and keytab
>         idmap config *:backend = tdb
>         idmap config *:range = 100000-999999
>         idmap config XXXXXXXX:backend=rid
>         idmap config XXXXXXXX:range = 10000-99999
>         template homedir = /home/%U
>         winbind use default domain = yes
>         winbind refresh tickets = Yes
>         winbind expand groups = 4
>         winbind normalize names = Yes
>         domain master = no
>         local master = no
>         map acl inherit = Yes
>         store dos attributes = Yes
>         unix extensions=no
>         vfs objects=audit
>         audit:facility=LOCAL7
>         audit:priority=INFO
> ...
> [myshare]
>         path=/shares/myshare
>         writeable=yes
>         follow symlinks=no
>         force create mode=660
>         force directory mode=770
>         valid users=user1,user2





On the server:

> # ls -l /shares/
> drwxrwx---  50 root      domain_users  3072 Nov 19 15:10 myshare

> # ls -l /shares/myshare
> -rwxrwx---   1 root      domain_users      4096 Mar 14  2017 ._mydir.doc
> drwxrwx---   2 root      domain_users       512 Nov 19 10:51 mydir.doc

> # ls -l /shares/myshare/mydir.doc
> total 0

(Notice no ACLs are set)





On the client:

> $ ls -le /Volumes/
> drwx------+ 1 user2  XXXXXXXX\Domain Users  16384 Nov 19 15:10 myshare
>  0: AAAABBBB-CCCC-DDDD-EEEE-FFFF82000000 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
>  1: group:XXXXXXXX\Domain Users allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
>  2: group:everyone allow 

> $ ls -le /Volumes/myshare

> drwx------@ 1 user2  XXXXXXXX\Domain Users     16384 Nov 19 10:51 mydir.doc
>  0: AAAABBBB-CCCC-DDDD-EEEE-FFFF82000000 allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
>  1: group:XXXXXXXX\Domain Users allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
>  2: group:everyone allow

> $ groups user2
> XXXXXXXX\Domain Users everyone netaccounts XXXXXXXX\xxxxxxxxx XXXXXXXX\xxxxxx XXXXXXXXX\Utenti Terminal com.apple.sharepoint.group.1

Yet:
> $ rmdir /Volumes/myshare/mydir
> rmdir: /Volumes/myshare/mydir/: Operation not permitted




Recapping:
_ I've got share level access ("valid users") set in smb.conf;
_ server side, the filesystem permissions should allow deleting that 
directory (since user2 is in domain_users group);
_ client side, the file seems to be owned by the user mounting the share 
(instead of root);  UNIX permissions are translated into ACLs, but, 
again, these should allow her to delete that directory.




Notice she is able to delete files and directories in general from that 
share.
I.e. If I create a similar directory in the server, with the same 
permissions, she is able to delete it.
Samba has been restarted and all client rebooted since the problem arose.

I must be failing to see something or understaning something wrong.
Any hint?


  bye & Thanks
	av.

P.S.
I know the consensus is I should run vfs_fruit, but last time I tried 
enabling it, mayhem broke out.