[Samba] Issue with extended ACL's in 4.10.16

Odell, Jack Jack.Odell at options-it.com
Mon Sep 11 15:14:49 UTC 2023


I'm having an issue with extended ACL permissions while upgrading from 4.6.2 to 4.10.16.

When upgraded, the file permissions will only allow a user's primary GID to access the directory/file.

For example:

tuser is a member of secall and secoptions.
secall is tuser's primary GID.
A dir has an ACL set for secoptions:rwx
tuser is unable to access the dir from a windows host
Adding secall:rwx to the dir allows tuser to access the dir without issue.

Trawled this document for a Boolean parameter this afternoon that would sort out this problem but came up blank: smb.conf (samba.org)<https://www.samba.org/~ab/output/htmldocs/manpages-3/smb.conf.5.html>

Any help to shed some light on this is greatly appreciated.

Current smb.conf file below:

    realm = OPTIONS-IT.COM
    workgroup = OPTIONS-IT
    security = ads
    kerberos method = dedicated keytab
    dedicated keytab file = /etc/krb5.keytab /etc/krb5.keytab.stc.local
    template homedir = /home/%U
    idmap config * : backend = sss
    idmap config * :  range = 57000-59000
#    idmap config OPTIONS-IT : backend = sss
#    idmap config OPTIONS-IT : range = 57000-59000
#    idmap config STC.LOCAL  : backend = sss
#    idmap config STC.LOCAL  : range = 57000-59000
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    machine password timeout = 0
    log level = 3
    allow trusted domains = yes
#   winbind scan trusted domains = yes
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

comment = var log test
        path = /var/log
        browseable = yes
        writeable = yes
        create mask = 7650
        directory mask = 7770
        guest ok = yes
        posix locking = no

System info:
Red Hat Enterprise Linux Server release 7.9 (Maipo)
3.10.0-1160.88.1.el7.x86_64 #1 SMP Sat Feb 18 13:27:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

$ smbd -V
Version 4.10.16

All the best,


The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Whilst we take reasonable precautions to minimise risk, you must carry out your own virus checks before opening attachments or reading e-mails and we do not accept liability for any damage or loss in this respect. This e-mail and its attachments may be subject to copyright protection and you should not retransmit or reproduce these without the consent of the author. Non-business related content is not authorised by us and we shall not be liable for it. We are also not responsible for changes made or occurring after this message was sent.

Options Technology Ltd.
50 Pall Mall,
St James,
Tel: +44 20 7070 5000 Fax: +44 20 7070 5001

Options Information Technology LLC
28 Liberty St, 9th Floor,
New York, NY 10005.
Tel: 646 205 2500 Fax: 646 205 2501

Options Technology (Asia) Ltd.
503C The Golden Center,
188 Des Voeux Road, Central, Hong Kong
Tel: +852 3166 5000 Fax: +852 3166 5001


More information about the samba mailing list