[Samba] POSIX ACLs are not inherited after upgrade - behaviour changed?

Rowland Penny rpenny at samba.org
Mon Jul 4 16:31:32 UTC 2022 

On Mon, 2022-07-04 at 18:02 +0200, Henry Jensen via samba wrote:
> Am Mon, 04 Jul 2022 16:17:55 +0100
> schrieb Rowland Penny via samba <samba at lists.samba.org>:
> 
> > On Mon, 2022-07-04 at 16:52 +0200, Henry Jensen via samba wrote:
> > > I have several Samba servers running as (Samba) AD Domain members
> > > on
> > > Devuan Ascii (= Debian 9) with Samba 4.5.x, using Posix ACLs  
> > 
> > The question has to be, why are you still running such an old
> > distro ?
> > No, I am not Devuan bashing, I am running Beowulf at the moment.
> 
> Because Devuan Ascii was still supported until last week. Maybe I
> should have
> upgraded a long time ago, but that wouldn't have eliminate the
> problem, it
> would have just appeared earlier.
> 
> > While you have posted portions of your smb.conf, they are not much
> > use
> > without the '[global]' portion.
> 
> OK, here is the complete thing
> 
> 
> [global]
>    workgroup = MYDOM
>    security = ADS
>    realm = MYDOM.LAN
>    # Default idmap config for local BUILTIN accounts and groups
>    idmap config *:backend = tdb 
>    idmap config *:range = 80001-90000
> 
>    # idmap config for the MYDOM domain
>    idmap config MYDOM:backend = ad
>    idmap config MYDOM:schema_mode = rfc2307
>    idmap config MYDOM:range = 500-80000
> 
>    # >Samba 4.6.0
>    idmap config MYDOM:unix_nss_info = yes 
> 
>    # < Samba 4.6.0
>    # winbind nss info = rfc2307 
> 
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    winbind use default domain = yes 
> 
>    winbind enum users = yes
>    winbind enum groups = yes
>    username map = /etc/samba/user.map
> 
>    log level = 3 passdb:3 auth:3
> 
>    Dos charset = 850
>    unix charset = UTF-8
> 
>    vfs objects = recycle
>    recycle: repository = .Papierkorb/%U
>    recycle:directory_mode = 0777
>    recycle:subdir_mode = 0770
>    recycle: keeptree = Yes
>    recycle: exclude = *.tmp, *.temp, *.log, *.ldb
>    recycle: exclude_dir = tmp
>    recycle:versions = Yes
> 
> [myshare]
> path = /data/myshare
> public = no
> writeable = yes
> hide unreadable = yes
> create mask = 1660
> directory mask = 1770
> inherit owner = yes
> inherit permissions = yes
> inherit acls = yes
> acl group control = yes
> 
> 
> Now back to the question: ACL's were inherited in Samba <=
> 4.5.x  without
> default ACLs, in Samba 4.9.x they aren't. Was this change in
> behaviour
> intended (and which item in the release notes did I miss)?

There were changes between 4.5.0 and 4.9.0, read 'man smb.conf' on
4.9.5 , specifically the 'inherit owner' parameter. What is also
affecting things is that 'ea support' defaulted to 'no' on 4.5.x and
this was changed to 'yes' at 4.9.0 , I think this is what causing your
problem, if you can call it a 'problem', others will call it a feature 
:-D

Rowland

More information about the samba mailing list