[Samba] POSIX ACLs are not inherited after upgrade - behaviour changed?
Rowland Penny
rpenny at samba.org
Mon Jul 4 16:31:32 UTC 2022
On Mon, 2022-07-04 at 18:02 +0200, Henry Jensen via samba wrote:
> Am Mon, 04 Jul 2022 16:17:55 +0100
> schrieb Rowland Penny via samba <samba at lists.samba.org>:
>
> > On Mon, 2022-07-04 at 16:52 +0200, Henry Jensen via samba wrote:
> > > I have several Samba servers running as (Samba) AD Domain members
> > > on
> > > Devuan Ascii (= Debian 9) with Samba 4.5.x, using Posix ACLs
> >
> > The question has to be, why are you still running such an old
> > distro ?
> > No, I am not Devuan bashing, I am running Beowulf at the moment.
>
> Because Devuan Ascii was still supported until last week. Maybe I
> should have
> upgraded a long time ago, but that wouldn't have eliminate the
> problem, it
> would have just appeared earlier.
>
> > While you have posted portions of your smb.conf, they are not much
> > use
> > without the '[global]' portion.
>
> OK, here is the complete thing
>
>
> [global]
> workgroup = MYDOM
> security = ADS
> realm = MYDOM.LAN
> # Default idmap config for local BUILTIN accounts and groups
> idmap config *:backend = tdb
> idmap config *:range = 80001-90000
>
> # idmap config for the MYDOM domain
> idmap config MYDOM:backend = ad
> idmap config MYDOM:schema_mode = rfc2307
> idmap config MYDOM:range = 500-80000
>
> # >Samba 4.6.0
> idmap config MYDOM:unix_nss_info = yes
>
> # < Samba 4.6.0
> # winbind nss info = rfc2307
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> winbind use default domain = yes
>
> winbind enum users = yes
> winbind enum groups = yes
> username map = /etc/samba/user.map
>
> log level = 3 passdb:3 auth:3
>
> Dos charset = 850
> unix charset = UTF-8
>
> vfs objects = recycle
> recycle: repository = .Papierkorb/%U
> recycle:directory_mode = 0777
> recycle:subdir_mode = 0770
> recycle: keeptree = Yes
> recycle: exclude = *.tmp, *.temp, *.log, *.ldb
> recycle: exclude_dir = tmp
> recycle:versions = Yes
>
> [myshare]
> path = /data/myshare
> public = no
> writeable = yes
> hide unreadable = yes
> create mask = 1660
> directory mask = 1770
> inherit owner = yes
> inherit permissions = yes
> inherit acls = yes
> acl group control = yes
>
>
> Now back to the question: ACL's were inherited in Samba <=
> 4.5.x without
> default ACLs, in Samba 4.9.x they aren't. Was this change in
> behaviour
> intended (and which item in the release notes did I miss)?
There were changes between 4.5.0 and 4.9.0, read 'man smb.conf' on
4.9.5 , specifically the 'inherit owner' parameter. What is also
affecting things is that 'ea support' defaulted to 'no' on 4.5.x and
this was changed to 'yes' at 4.9.0 , I think this is what causing your
problem, if you can call it a 'problem', others will call it a feature
:-D
Rowland
More information about the samba
mailing list