samba - Feb 2021 - ACLs woes after upgrade from 3.6 to 4.9.5

Hi all,

I've upgraded a Debian server that was still running 3.6.20 to the
current Debian stable with samba 4.9.5. The smb.conf file hasn't been
changed and has many weird entries, but the big problem is that ACLs
behaviour completely changed.

Typically, when copying/moving files, they get entirely different
rights than the source. On-disk ACLs haven't been changed, so I suppose
that's the Samba default that have. I don't want to try randomly
enabling / disabling posix acls / inherit acls settings...


Here's the smb.conf:

[global]
        block size = 4096
        directory mask = 0775
        disable spoolss = yes 
        dns proxy = no
        domain master = no
        encrypt passwords = true
        guest account = nobody
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        invalid users = root
        load printers = no
        local master = no
        max log size = 1000
        name resolve order = wins lmhosts host bcast
        nt acl support = yes
        obey pam restrictions = yes
        os level = 20
        panic action = /usr/share/samba/panic-action %d
        passdb backend = tdbsam
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n . passwd program = /usr/bin/passwd
%u preferred master = no
        preserve case = yes
        printcap name = /dev/null 
        printing = bsd
        security = user
        server string = %h server (Samba %v)
        short preserve case = yes
        syslog = 0;
        syslog only = no
        template shell = /bin/false
        unix password sync = yes
        winbind cache time = 10
        winbind enum groups = yes
        winbind enum users = yes
        winbind separator = +
        wins server = 127.0.0.1
        wins support = no
        workgroup = WORKGROUP
        usershare max shares = 0

[Masters]
        writeable = yes
        path = /mnt/raid/Masters


(there are other shares, but exact same settings). The directory mask
setting have been added to try to change the behaviour, to no avail.

Cheers,
-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210226/34e65209/attachment.sig>

On 26/02/2021 14:27, Emmanuel Florac via samba wrote:
> Hi all,
>
> I've upgraded a Debian server that was still running 3.6.20 to the
> current Debian stable with samba 4.9.5. The smb.conf file hasn't been
> changed and has many weird entries, but the big problem is that ACLs
> behaviour completely changed.
>
> Typically, when copying/moving files, they get entirely different
> rights than the source. On-disk ACLs haven't been changed, so I suppose
> that's the Samba default that have. I don't want to try randomly
> enabling / disabling posix acls / inherit acls settings...
>
>
> Here's the smb.conf:
>
> [global]
>          block size = 4096
>          directory mask = 0775
>          disable spoolss = yes
>          dns proxy = no
>          domain master = no
>          encrypt passwords = true
>          guest account = nobody
>          idmap gid = 10000-20000
>          idmap uid = 10000-20000
>          invalid users = root
>          load printers = no
>          local master = no
>          max log size = 1000
>          name resolve order = wins lmhosts host bcast
>          nt acl support = yes
>          obey pam restrictions = yes
>          os level = 20
>          panic action = /usr/share/samba/panic-action %d
>          passdb backend = tdbsam
>          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n . passwd program = /usr/bin/passwd
> %u preferred master = no
>          preserve case = yes
>          printcap name = /dev/null
>          printing = bsd
>          security = user
>          server string = %h server (Samba %v)
>          short preserve case = yes
>          syslog = 0;
>          syslog only = no
>          template shell = /bin/false
>          unix password sync = yes
>          winbind cache time = 10
>          winbind enum groups = yes
>          winbind enum users = yes
>          winbind separator = +
>          wins server = 127.0.0.1
>          wins support = no
>          workgroup = WORKGROUP
>          usershare max shares = 0
>
> [Masters]
>          writeable = yes
>          path = /mnt/raid/Masters

OK, how do you think you are running Samba ?

As a standalone server or as a Unix domain member ?

Your smb.conf seems to be a mixture of the two:

'security = user' == standalone server

 ??????? idmap gid = 10000-20000
 ??????? idmap uid = 10000-20000
 ??????? winbind cache time = 10
 ??????? winbind enum groups = yes
 ??????? winbind enum users = yes
 ??????? winbind separator = +
 ??????? wins server = 127.0.0.1

The above lines would only be used on a Unix domain member (an NT4-style 
domain member), but the last line is curious.

Rowland