Henry Jensen
2022-Jul-04 14:52 UTC
[Samba] POSIX ACLs are not inherited after upgrade - behaviour changed?
I have several Samba servers running as (Samba) AD Domain members on Devuan Ascii (= Debian 9) with Samba 4.5.x, using Posix ACLs ACL Example of a directory share: # getfacl . # file: . # owner: root # group: root # flags: -s- user::rwx group::rwx group:mygroup:rwx mask::rwx other::--- Note that there is no default ACL When I create a file foo in this directory using a SMB client the ACLs are inherited: # getfacl foo # file: foo # owner: root # group: root user::rwx group::rw- group:mygroup:rwx mask::rwx other::--- However, after an upgrade to Devuan 3 (same as Debian 10) with Samba 4.9,x this behaviour changed and the ACLs are not inhrited, just the standard Unix group and user are inherited. # getfacl foo # file: foo # owner: root # group: root user::rwx group::rw- other::--- As you can see, mygroup is missing, which means, that users belonging to mygroup (including the creator of the file) can't see or access the file. However, if an default ACL is applied to the directory, the old behaviour is restored and all "mygroup" users can access the file. My question is: Was this change in behaviour intended? I haven't found anything about this in the Samba release notes from 4.6.0 to 4.9.0. I have used POSIX ACLS and Samba since the old Samba 3.x times and there were never the need to use default ACLs. It was my impression, that inherit permissions = yes inherit acls = yes would be enough to inherit ACLs. The relevant parts in smb.conf: [global] vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [myshare] path = /data/myshare public = no writeable = yes hide unreadable = yes create mask = 1660 directory mask = 1770 inherit owner = yes inherit permissions = yes inherit acls = yes acl group control = yes map acl inherit = yes Regards, Henry
Rowland Penny
2022-Jul-04 15:17 UTC
[Samba] POSIX ACLs are not inherited after upgrade - behaviour changed?
On Mon, 2022-07-04 at 16:52 +0200, Henry Jensen via samba wrote:> I have several Samba servers running as (Samba) AD Domain members on > Devuan Ascii (= Debian 9) with Samba 4.5.x, using Posix ACLsThe question has to be, why are you still running such an old distro ? No, I am not Devuan bashing, I am running Beowulf at the moment. I suggest you upgrade and then use Samba from here: https://apt.van-belle.nl/ While you have posted portions of your smb.conf, they are not much use without the '[global]' portion. Rowland