Sebastian Arcus
2019-Jun-11 10:38 UTC
[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
On 11/06/19 11:07, Rowland penny via samba wrote:> On 11/06/2019 10:34, Sebastian Arcus via samba wrote: >> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from >> 4.x (I'm afraid I'm not sure the exact earlier version) - and since >> then I just haven't managed to pin down the file permissions and >> inheritance on the shares as it's been constantly causing issues. This >> server is both a file server and a AD DC. >> >> The current problem I am facing is the permissions of the lock file >> generated by Microsoft Access (.ldb). The Access database is on the >> server share. When one Windows client opens it, the .ldb file is >> created with group write permission (-rw-rw----). But when it is >> opened from another Windows machine, the .ldb file is created with >> group read-only permissions (-rw-r-----) - which locks other users >> out. There seems to be a mask applied, but I have no idea where is it >> coming from. Both client machines are Windows 7 - I just can't figure >> out the reason. It used to work fine before the Samba upgrade. The >> wrong acl's for the .ldb file look like this: >> >> # file: praxis_be.ldb >> # owner: HEBI\\user1 >> # group: HEBI\\domain\040users >> user::rw- >> user:root:rwx??????????? #effective:r-- >> group::rwx??????????? #effective:r-- >> group:HEBI\\domain\040users:rwx??? #effective:r-- >> group:HEBI\\domain\040computers:r-x??? #effective:r-- >> mask::r-- >> other::--- >> >> >> What I've tried: >> >> 1. I have set and reset the acl's on the Linux side for the share and >> parent dir (the lock file is in the root of the network share) - and >> made sure it doesn't have a mask: > > You should stop doing this, as it is a DC, you need to set the > permissions from Windows, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLsThank you for the quick answer. I should have mentioned that I tried that as well. Could you confirm if "inherit acls" and "create mask" and "directory mask" should still apply to Samba in AD mode any more - or not?
Rowland penny
2019-Jun-11 10:49 UTC
[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
On 11/06/2019 11:38, Sebastian Arcus via samba wrote:> > On 11/06/19 11:07, Rowland penny via samba wrote: >> On 11/06/2019 10:34, Sebastian Arcus via samba wrote: >>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from >>> 4.x (I'm afraid I'm not sure the exact earlier version) - and since >>> then I just haven't managed to pin down the file permissions and >>> inheritance on the shares as it's been constantly causing issues. >>> This server is both a file server and a AD DC. >>> >>> The current problem I am facing is the permissions of the lock file >>> generated by Microsoft Access (.ldb). The Access database is on the >>> server share. When one Windows client opens it, the .ldb file is >>> created with group write permission (-rw-rw----). But when it is >>> opened from another Windows machine, the .ldb file is created with >>> group read-only permissions (-rw-r-----) - which locks other users >>> out. There seems to be a mask applied, but I have no idea where is >>> it coming from. Both client machines are Windows 7 - I just can't >>> figure out the reason. It used to work fine before the Samba >>> upgrade. The wrong acl's for the .ldb file look like this: >>> >>> # file: praxis_be.ldb >>> # owner: HEBI\\user1 >>> # group: HEBI\\domain\040users >>> user::rw- >>> user:root:rwx??????????? #effective:r-- >>> group::rwx??????????? #effective:r-- >>> group:HEBI\\domain\040users:rwx??? #effective:r-- >>> group:HEBI\\domain\040computers:r-x??? #effective:r-- >>> mask::r-- >>> other::--- >>> >>> >>> What I've tried: >>> >>> 1. I have set and reset the acl's on the Linux side for the share >>> and parent dir (the lock file is in the root of the network share) - >>> and made sure it doesn't have a mask: >> >> You should stop doing this, as it is a DC, you need to set the >> permissions from Windows, see here: >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Thank you for the quick answer. I should have mentioned that I tried > that as well. Could you confirm if "inherit acls" and "create mask" > and "directory mask" should still apply to Samba in AD mode any more - > or not? > >Your share on the DC should only be this: [praxis] path = /srv/samba/praxis read only = No You shouldn't add anything else, it has always been this way on a DC. I think it might help if you posted the global part of the smb.conf Rowland
Sebastian Arcus
2019-Jun-11 12:13 UTC
[Samba] Problems with inconsistent ACL inheritance and permissions after Samba upgrade
On 11/06/19 11:49, Rowland penny via samba wrote:> On 11/06/2019 11:38, Sebastian Arcus via samba wrote: >> >> On 11/06/19 11:07, Rowland penny via samba wrote: >>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote: >>>> I've just upgraded a Samba AD server to 4.10.2 a few weeks ago from >>>> 4.x (I'm afraid I'm not sure the exact earlier version) - and since >>>> then I just haven't managed to pin down the file permissions and >>>> inheritance on the shares as it's been constantly causing issues. >>>> This server is both a file server and a AD DC. >>>> >>>> The current problem I am facing is the permissions of the lock file >>>> generated by Microsoft Access (.ldb). The Access database is on the >>>> server share. When one Windows client opens it, the .ldb file is >>>> created with group write permission (-rw-rw----). But when it is >>>> opened from another Windows machine, the .ldb file is created with >>>> group read-only permissions (-rw-r-----) - which locks other users >>>> out. There seems to be a mask applied, but I have no idea where is >>>> it coming from. Both client machines are Windows 7 - I just can't >>>> figure out the reason. It used to work fine before the Samba >>>> upgrade. The wrong acl's for the .ldb file look like this: >>>> >>>> # file: praxis_be.ldb >>>> # owner: HEBI\\user1 >>>> # group: HEBI\\domain\040users >>>> user::rw- >>>> user:root:rwx??????????? #effective:r-- >>>> group::rwx??????????? #effective:r-- >>>> group:HEBI\\domain\040users:rwx??? #effective:r-- >>>> group:HEBI\\domain\040computers:r-x??? #effective:r-- >>>> mask::r-- >>>> other::--- >>>> >>>> >>>> What I've tried: >>>> >>>> 1. I have set and reset the acl's on the Linux side for the share >>>> and parent dir (the lock file is in the root of the network share) - >>>> and made sure it doesn't have a mask: >>> >>> You should stop doing this, as it is a DC, you need to set the >>> permissions from Windows, see here: >>> >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> >> Thank you for the quick answer. I should have mentioned that I tried >> that as well. Could you confirm if "inherit acls" and "create mask" >> and "directory mask" should still apply to Samba in AD mode any more - >> or not? >> >> > Your share on the DC should only be this: > > [praxis] > path = /srv/samba/praxis > read only = No > > You shouldn't add anything else, it has always been this way on a DC.Yes - that's what I read in the docs - and that's what I started with. But that's when I don't get the expected ACL inheritance. I just trimmed the share definition down again to the above, and when I created a dir, the mask kicks in again: # file: test3 # owner: root # group: HEBI\\domain\040users # flags: -s- user::rwx user:root:rwx #effective:r-x user:3000017:r-x group::rwx #effective:r-x group:HEBI\\domain\040users:rwx #effective:r-x group:HEBI\\domain\040computers:r-x mask::r-x other::--- default:user::rwx default:user:root:rwx default:user:3000017:r-x default:group::rwx default:group:HEBI\\domain\040users:rwx default:group:HEBI\\domain\040computers:r-x default:mask::rwx default:other::--- Is the mask coming from the local Linux filesystem umask? If yes, shouldn't the ACL's supersede it?> I think it might help if you posted the global part of the smb.confSure: [global] bind interfaces only = Yes interfaces = lo eth1 tun0 tun1 netbios name = HEBI-SERVER realm = HEBI.LAN server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = HEBI server role = active directory domain controller idmap_ldb:use rfc2307 = yes comment log file = /var/log/samba/%m.log max log size = 1000 mangling method = hash2 mangle prefix = 6 reset on zero vc = yes deadtime = 10 load printers = yes rpc_server:spoolss = external rpc_daemon:spoolssd = fork
Possibly Parallel Threads
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade
- Problems with inconsistent ACL inheritance and permissions after Samba upgrade