[Samba] permissions weirdness

Greg Sloop <gregs@sloop.net> gregs at sloop.net
Thu Mar 24 20:01:20 UTC 2022 

So, I'm baffled.
Here's what I've got - hopefully I haven't forgotten anything.

testparm output
---
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

[global]
        min domain uid = 0
        realm = AD.ABC.LOCAL
        security = ADS
        server role = member server
        server string = FileServer
        username map = /etc/samba/user.map
        workgroup = AD
        acl_xattr:ignore system acls = yes
        idmap config ad : range = 10000-999999
        idmap config ad : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr


[shared-files]
        comment = user-profiles
        path = /abc-zfs-01/ad-shared-folders/shared-files/
        read only = No
        acl_xattr:ignore system acls = yes


---
I have removed all the system.NTACL files. (Though I never saw any of
these, anyway.)

Set initial POSIX perms
setfacl --recursive --remove-all  folder
chown -R root:"AD\Domain Admins" folder
chmod -R 0775 folder

In the "shared-files" share - I have a base-folder.

Then I have an IT folder.

In the IT folder I grant AD\GS full control.

(Using the Windows file explorer. Rt click folder, properties | Security
tab | Advanced | Permissions tab;
Add, select principle AD\GS, Allow,  This folder, subfolders and files,
full control, OK. Inheritance is disabled. "Replace all child
objects...:checked"
The share permisions are; everyone, full control.)

(AD\GS is a user account; though I started with a group which GS was a
member of, with the same results)

On a Windows AD joined station, I logout and login as GS.
I can go into the IT folder.
I can edit a text file, created by the administrator account.
I can delete that file.
But I *can't* create a new file or directory?

But I *can* open permissions and add another group/user with full
permissions to the IT folder. !?!
---

Wha?
How can this be?
I'm about to douse myself with gasoline and light up!

Permissions are totally wonky.
I've done this before on other setups, and I've never had this happen.

Addl Deets:
Ubuntu 20.04, running 4.15.6 (Louis' repo)
The disks where the shares reside are ZFS, though I don't think this
matters.
DNS works.
Genent returns users and groups fine.
Time is synced.

I'm completely at a loss for what's going on.
Anyone?

More information about the samba mailing list