Sebastian Arcus
2019-Dec-02 14:28 UTC
[Samba] vfs_recycle disables permissions inheritance on AD DC shares
Apologies if this is a documented feature and I missed it - I've been googling and reading through the docs but haven't spotted any mention anywhere. Is the vfs_recycle feature officially being supported with Samba in AD mode? I have a few AD DC's with file shares on them - and have been struggling with file permissions not being inherited on the file shares. I have finally narrowed it down to the fact that if I enable the vfs_recycle module on the shares, this disables permission inheritance on the respective share. Could anybody confirm this please - or am I doing something wrong? I am on Samba 4.10.8 and 4.9.4, Slackware 64, as mentioned above all servers are AD DC's, the file system is EXT4, and here is my smb.conf: [global] netbios name = MY-SERVER-NAME realm = MYDOMAIN.LAN server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = MYDOMAIN server role = active directory domain controller idmap_ldb:use rfc2307 = yes ntlm auth = yes time server = yes [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [shared_files] path = /srv/samba/shared_files read only = No vfs objects = recycle recycle:repository = Recycle.Bin recycle:directory_mode = 0770 recycle:subdir_mode = 0770 recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb,*- journal recycle:versions = Yes recycle:touch_mtime = Yes recycle:keeptree = No recycle:minsize = 1
Rowland penny
2019-Dec-02 15:10 UTC
[Samba] vfs_recycle disables permissions inheritance on AD DC shares
On 02/12/2019 14:28, Sebastian Arcus via samba wrote:> Apologies if this is a documented feature and I missed it - I've been > googling and reading through the docs but haven't spotted any mention > anywhere. Is the vfs_recycle feature officially being supported with > Samba in AD mode? I have a few AD DC's with file shares on them - and > have been struggling with file permissions not being inherited on the > file shares. I have finally narrowed it down to the fact that if I > enable the vfs_recycle module on the shares, this disables permission > inheritance on the respective share. Could anybody confirm this please > - or am I doing something wrong? >Problem is that using a Samba AD DC as a fileserver isn't really recommended, I personally would only recommend using a DC as a fileserver if it was the only DC (soho). You have multiple DCs, so don't use them as fileservers, add a Unix domain member and use that instead.> I am on Samba 4.10.8 and 4.9.4, Slackware 64, as mentioned above all > servers are AD DC's, the file system is EXT4, and here is my smb.conf: > > [global] > ? netbios name = MY-SERVER-NAME > ? realm = MYDOMAIN.LAN > ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > ? workgroup = MYDOMAIN > ? server role = active directory domain controller > ? idmap_ldb:use rfc2307 = yes > ? ntlm auth = yes > ? time server = yes > > [netlogon] > ? path = /var/lib/samba/sysvol/mydomain.lan/scripts > ? read only = No > > [sysvol] > ?? path = /var/lib/samba/sysvol > ?? read only = No > > [shared_files] > ? path = /srv/samba/shared_files > ? read only = No > > ? vfs objects = recycleAs you have surmised, the above line is your problem, you have turned off the default vfs objects built into a Samba AD DC Rowland
Sebastian Arcus
2019-Dec-02 15:32 UTC
[Samba] vfs_recycle disables permissions inheritance on AD DC shares
On 02/12/19 15:10, Rowland penny via samba wrote:> On 02/12/2019 14:28, Sebastian Arcus via samba wrote: >> Apologies if this is a documented feature and I missed it - I've been >> googling and reading through the docs but haven't spotted any mention >> anywhere. Is the vfs_recycle feature officially being supported with >> Samba in AD mode? I have a few AD DC's with file shares on them - and >> have been struggling with file permissions not being inherited on the >> file shares. I have finally narrowed it down to the fact that if I >> enable the vfs_recycle module on the shares, this disables permission >> inheritance on the respective share. Could anybody confirm this please >> - or am I doing something wrong? >> > Problem is that using a Samba AD DC as a fileserver isn't really > recommended, I personally would only recommend using a DC as a > fileserver if it was the only DC (soho). You have multiple DCs, so don't > use them as fileservers, add a Unix domain member and use that instead.Thank you for the quick reply. I should have mentioned that these DC's are at at different sites. At each site there is only one Linux server - hence why the DC is also the file server.>> I am on Samba 4.10.8 and 4.9.4, Slackware 64, as mentioned above all >> servers are AD DC's, the file system is EXT4, and here is my smb.conf: >> >> [global] >> ? netbios name = MY-SERVER-NAME >> ? realm = MYDOMAIN.LAN >> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> ? workgroup = MYDOMAIN >> ? server role = active directory domain controller >> ? idmap_ldb:use rfc2307 = yes >> ? ntlm auth = yes >> ? time server = yes >> >> [netlogon] >> ? path = /var/lib/samba/sysvol/mydomain.lan/scripts >> ? read only = No >> >> [sysvol] >> ?? path = /var/lib/samba/sysvol >> ?? read only = No >> >> [shared_files] >> ? path = /srv/samba/shared_files >> ? read only = No >> >> ? vfs objects = recycle > As you have surmised, the above line is your problem, you have turned > off the default vfs objects built into a Samba AD DCI'm afraid I'm not sufficiently familiar with vfs objects and how they work - I only used the configuration above based on the recommended configs in the wiki. Are you saying above that I could have configured the vfs recycle without using the "vfs objects = recycle" line - that it isn't actually necessary in order to activate the recycle bin? Thank you
Apparently Analagous Threads
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares