Sebastian Arcus
2019-Dec-02 15:32 UTC
[Samba] vfs_recycle disables permissions inheritance on AD DC shares
On 02/12/19 15:10, Rowland penny via samba wrote:> On 02/12/2019 14:28, Sebastian Arcus via samba wrote: >> Apologies if this is a documented feature and I missed it - I've been >> googling and reading through the docs but haven't spotted any mention >> anywhere. Is the vfs_recycle feature officially being supported with >> Samba in AD mode? I have a few AD DC's with file shares on them - and >> have been struggling with file permissions not being inherited on the >> file shares. I have finally narrowed it down to the fact that if I >> enable the vfs_recycle module on the shares, this disables permission >> inheritance on the respective share. Could anybody confirm this please >> - or am I doing something wrong? >> > Problem is that using a Samba AD DC as a fileserver isn't really > recommended, I personally would only recommend using a DC as a > fileserver if it was the only DC (soho). You have multiple DCs, so don't > use them as fileservers, add a Unix domain member and use that instead.Thank you for the quick reply. I should have mentioned that these DC's are at at different sites. At each site there is only one Linux server - hence why the DC is also the file server.>> I am on Samba 4.10.8 and 4.9.4, Slackware 64, as mentioned above all >> servers are AD DC's, the file system is EXT4, and here is my smb.conf: >> >> [global] >> ? netbios name = MY-SERVER-NAME >> ? realm = MYDOMAIN.LAN >> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >> winbindd, ntp_signd, kcc, dnsupdate >> ? workgroup = MYDOMAIN >> ? server role = active directory domain controller >> ? idmap_ldb:use rfc2307 = yes >> ? ntlm auth = yes >> ? time server = yes >> >> [netlogon] >> ? path = /var/lib/samba/sysvol/mydomain.lan/scripts >> ? read only = No >> >> [sysvol] >> ?? path = /var/lib/samba/sysvol >> ?? read only = No >> >> [shared_files] >> ? path = /srv/samba/shared_files >> ? read only = No >> >> ? vfs objects = recycle > As you have surmised, the above line is your problem, you have turned > off the default vfs objects built into a Samba AD DCI'm afraid I'm not sufficiently familiar with vfs objects and how they work - I only used the configuration above based on the recommended configs in the wiki. Are you saying above that I could have configured the vfs recycle without using the "vfs objects = recycle" line - that it isn't actually necessary in order to activate the recycle bin? Thank you
Rowland penny
2019-Dec-02 15:44 UTC
[Samba] vfs_recycle disables permissions inheritance on AD DC shares
On 02/12/2019 15:32, Sebastian Arcus via samba wrote:> > On 02/12/19 15:10, Rowland penny via samba wrote: > > Thank you for the quick reply. I should have mentioned that these DC's > are at at different sites. At each site there is only one Linux server > - hence why the DC is also the file server.Bad move, I would add a Unix domain member at each site, even if it is in a VM, by the way, are you using 'sites' ?> I'm afraid I'm not sufficiently familiar with vfs objects and how they > work - I only used the configuration above based on the recommended > configs in the wiki. Are you saying above that I could have configured > the vfs recycle without using the "vfs objects = recycle" line - that > it isn't actually necessary in order to activate the recycle bin?No, I am saying that you have turned off the default vfs objects by just specifying one. You should have 'vfs objects = dfs_samba4 acl_xattr recycle' Rowland
Sebastian Arcus
2019-Dec-02 16:24 UTC
[Samba] vfs_recycle disables permissions inheritance on AD DC shares
On 02/12/19 15:44, Rowland penny via samba wrote:> On 02/12/2019 15:32, Sebastian Arcus via samba wrote: >> >> On 02/12/19 15:10, Rowland penny via samba wrote: >> >> Thank you for the quick reply. I should have mentioned that these DC's >> are at at different sites. At each site there is only one Linux server >> - hence why the DC is also the file server. > Bad move, I would add a Unix domain member at each site, even if it is > in a VM, by the way, are you using 'sites' ?I'm not sure what do you mean by 'sites'. They are a number of different physical sites, but they are independent small lan's, with no connection to each other, if that is the question? I have seen the advice in the wiki against using the DC as a file sharing server, but I am not clear as to why exactly that is a bad idea - and the wiki doesn't go into much detail. The servers certainly have performed very well for the past 3 years or so. These are small networks, with around 10 clients each.>> I'm afraid I'm not sufficiently familiar with vfs objects and how they >> work - I only used the configuration above based on the recommended >> configs in the wiki. Are you saying above that I could have configured >> the vfs recycle without using the "vfs objects = recycle" line - that >> it isn't actually necessary in order to activate the recycle bin? > > No, I am saying that you have turned off the default vfs objects by just > specifying one. > > You should have 'vfs objects = dfs_samba4 acl_xattr recycle'Thank you very much for this - now it is working. This lack of permissions inheritance issue has been plaguing me for months - it is very useful to finally find what has been causing it. Would it be a good idea to add the information above somewhere in the wiki, in case others will face the same issue at some point? Again, thank you for the quick replies.
Possibly Parallel Threads
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares
- vfs_recycle disables permissions inheritance on AD DC shares