Sebastian Arcus
2019-Jun-11 09:34 UTC
[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from 4.x (I'm afraid I'm not sure the exact earlier version) - and since then I just haven't managed to pin down the file permissions and inheritance on the shares as it's been constantly causing issues. This server is both a file server and a AD DC. The current problem I am facing is the permissions of the lock file generated by Microsoft Access (.ldb). The Access database is on the server share. When one Windows client opens it, the .ldb file is created with group write permission (-rw-rw----). But when it is opened from another Windows machine, the .ldb file is created with group read-only permissions (-rw-r-----) - which locks other users out. There seems to be a mask applied, but I have no idea where is it coming from. Both client machines are Windows 7 - I just can't figure out the reason. It used to work fine before the Samba upgrade. The wrong acl's for the .ldb file look like this: # file: praxis_be.ldb # owner: HEBI\\user1 # group: HEBI\\domain\040users user::rw- user:root:rwx #effective:r-- group::rwx #effective:r-- group:HEBI\\domain\040users:rwx #effective:r-- group:HEBI\\domain\040computers:r-x #effective:r-- mask::r-- other::--- What I've tried: 1. I have set and reset the acl's on the Linux side for the share and parent dir (the lock file is in the root of the network share) - and made sure it doesn't have a mask: # file: /srv/samba/praxis # owner: root # group: HEBI\\domain\040users user::rwx user:root:rwx group::rwx group:HEBI\\domain\040users:rwx group:HEBI\\domain\040computers:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::rwx default:group:HEBI\\domain\040users:rwx default:group:HEBI\\domain\040computers:r-x default:mask::rwx default:other::--- 2. I have set the "inherit acls = " and forced the masks in smb.conf: [praxis] path = /srv/samba/praxis read only = No create mask = 0660 directory mask = 0770 inherit acls = yes What I can't understand is why is a mask applied when the .ldb file is created - and why is it different between the two Windows 7 machines (if it comes from the Windows side). Any suggestions would be much appreciated.
Rowland penny
2019-Jun-11 10:07 UTC
[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
On 11/06/2019 10:34, Sebastian Arcus via samba wrote:> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from > 4.x (I'm afraid I'm not sure the exact earlier version) - and since > then I just haven't managed to pin down the file permissions and > inheritance on the shares as it's been constantly causing issues. This > server is both a file server and a AD DC. > > The current problem I am facing is the permissions of the lock file > generated by Microsoft Access (.ldb). The Access database is on the > server share. When one Windows client opens it, the .ldb file is > created with group write permission (-rw-rw----). But when it is > opened from another Windows machine, the .ldb file is created with > group read-only permissions (-rw-r-----) - which locks other users > out. There seems to be a mask applied, but I have no idea where is it > coming from. Both client machines are Windows 7 - I just can't figure > out the reason. It used to work fine before the Samba upgrade. The > wrong acl's for the .ldb file look like this: > > # file: praxis_be.ldb > # owner: HEBI\\user1 > # group: HEBI\\domain\040users > user::rw- > user:root:rwx??????????? #effective:r-- > group::rwx??????????? #effective:r-- > group:HEBI\\domain\040users:rwx??? #effective:r-- > group:HEBI\\domain\040computers:r-x??? #effective:r-- > mask::r-- > other::--- > > > What I've tried: > > 1. I have set and reset the acl's on the Linux side for the share and > parent dir (the lock file is in the root of the network share) - and > made sure it doesn't have a mask:You should stop doing this, as it is a DC, you need to set the permissions from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> > > 2. I have set the "inherit acls = " and forced the masks in smb.conf: > > [praxis] > path = /srv/samba/praxis > read only = No > create mask = 0660 > directory mask = 0770 > inherit acls = yesYou cannot use those lines on a DC.> > > What I can't understand is why is a mask applied when the .ldb file is > created - and why is it different between the two Windows 7 machines > (if it comes from the Windows side).Probably because you are doing it wrong ;-) Rowland
Sebastian Arcus
2019-Jun-11 10:38 UTC
[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
On 11/06/19 11:07, Rowland penny via samba wrote:> On 11/06/2019 10:34, Sebastian Arcus via samba wrote: >> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from >> 4.x (I'm afraid I'm not sure the exact earlier version) - and since >> then I just haven't managed to pin down the file permissions and >> inheritance on the shares as it's been constantly causing issues. This >> server is both a file server and a AD DC. >> >> The current problem I am facing is the permissions of the lock file >> generated by Microsoft Access (.ldb). The Access database is on the >> server share. When one Windows client opens it, the .ldb file is >> created with group write permission (-rw-rw----). But when it is >> opened from another Windows machine, the .ldb file is created with >> group read-only permissions (-rw-r-----) - which locks other users >> out. There seems to be a mask applied, but I have no idea where is it >> coming from. Both client machines are Windows 7 - I just can't figure >> out the reason. It used to work fine before the Samba upgrade. The >> wrong acl's for the .ldb file look like this: >> >> # file: praxis_be.ldb >> # owner: HEBI\\user1 >> # group: HEBI\\domain\040users >> user::rw- >> user:root:rwx??????????? #effective:r-- >> group::rwx??????????? #effective:r-- >> group:HEBI\\domain\040users:rwx??? #effective:r-- >> group:HEBI\\domain\040computers:r-x??? #effective:r-- >> mask::r-- >> other::--- >> >> >> What I've tried: >> >> 1. I have set and reset the acl's on the Linux side for the share and >> parent dir (the lock file is in the root of the network share) - and >> made sure it doesn't have a mask: > > You should stop doing this, as it is a DC, you need to set the > permissions from Windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsThank you for the quick answer. I should have mentioned that I tried that as well. Could you confirm if "inherit acls" and "create mask" and "directory mask" should still apply to Samba in AD mode any more - or not?
Reasonably Related Threads
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade