samba - Oct 2013 - File share permissions act different on member server than on DC

Hello,

a while ago I wrote the 
http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo.

When I wrote the HowTo, I setup and configured the share on a DC - what 
still works like described. Today I tried the first time to do exactly 
the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work there.

The share in smb.conf:
[demo]
    path = /srv/samba/Demo
    read only = no

The folder in the filesystem (XFS):
drwxr-xr-x   2 root root        6 13. Okt 22:16 /srv/samba/Demo

I connect to the share as Domain Admin, right-click to it and go to the 
"security" tab. Here I see now "everyone" and two
"root" entries.
- I click the "edit" button and remove the two "root"
entries. When I
click "apply", everything is reset (the two entries went back".
- If i grant "modify" to "everyone" - where all
"allow" entries are
empty per default and click "apply", then all boxes are checked 
automatically (full access) and "CREATOR OWNER" and "CREATOR
GROUP"
appear. And this two can't be removed as well any more.


If I do exactly the same on a DC, then already the security tab shows on 
the first time I open it very different settings. The wiki screenshot 
shows them: 
http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But 
the folder on Linux side is also just 755 (and without any extended ACLs 
when I begin). Also whatever I change (like remove "root" from the
ACLs)
everything is done like expected and saved.


The member server is also self compiled. I installed all packages on my 
RHEL6 that I have installed on the DC too.


Any idea what could be different on a 4.x member than on a DC? Or did I 
find a bug?


Regards
Marc

On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote:
> Hello,
> 
> a while ago I wrote the 
> http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo.
> 
> When I wrote the HowTo, I setup and configured the share on a DC - what 
> still works like described. Today I tried the first time to do exactly 
> the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work
there.
> 
> The share in smb.conf:
> [demo]
>     path = /srv/samba/Demo
>     read only = no
> 
> The folder in the filesystem (XFS):
> drwxr-xr-x   2 root root        6 13. Okt 22:16 /srv/samba/Demo
> 
> I connect to the share as Domain Admin, right-click to it and go to the 
> "security" tab. Here I see now "everyone" and two
"root" entries.
> - I click the "edit" button and remove the two "root"
entries. When I
> click "apply", everything is reset (the two entries went
back".
> - If i grant "modify" to "everyone" - where all
"allow" entries are
> empty per default and click "apply", then all boxes are checked 
> automatically (full access) and "CREATOR OWNER" and "CREATOR
GROUP"
> appear. And this two can't be removed as well any more.
> 
> 
> If I do exactly the same on a DC, then already the security tab shows on 
> the first time I open it very different settings. The wiki screenshot 
> shows them: 
> http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But 
> the folder on Linux side is also just 755 (and without any extended ACLs 
> when I begin). Also whatever I change (like remove "root" from
the ACLs)
> everything is done like expected and saved.
> 
> 
> The member server is also self compiled. I installed all packages on my 
> RHEL6 that I have installed on the DC too.
> 
> 
> Any idea what could be different on a 4.x member than on a DC? Or did I 
> find a bug?
> 
> 
> Regards
> Marc
Hi
It looks like that on the DC, Administrator already has admin
permissions on the share (like root in Linux) but on a file server he
doesn't. You have to specify Administrator as an admin user or give him
full posix rights on the share using setfacl.

Summary.mAdministrator behaves as:
DC: like root on a Linux box
File server: a normal unprivileged domain user

I think the file server is correct. Windows doesn't have a user like
root.
HTH
Steve

Hi,

To enable my member server's ACLs to work just like the DC, as far as 
Windows is concerned, I needed to add the following parameters to the 
global section of smb.conf file on the member server:

         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = Yes

These parameters are apparently added in the background by default for 
the smbd processes that are spawned by samba. Until I added those items, 
just like you I could never get the ACLs to stick and work correctly. 
Many of them were incorrectly labeled, also, even though the number was 
correct and the same as on the DC.

Something to note: I believe the vfs object parameter does require that 
xattrs work on the file system that you use.

Cheers,
KeithM

On Sun, 2013-10-13 at 22:31 +0200, Marc Muehlfeld wrote:
 > Hello,
 >
 > a while ago I wrote the
 > http://wiki.samba.org/index.php/Setup_and_configure_file_shares HowTo.
 >
 > When I wrote the HowTo, I setup and configured the share on a DC - what
 > still works like described. Today I tried the first time to do exactly
 > the same on a 4.0.10 and 4.1.0 _member server_, and it doesn't work 
there.
 >
 > The share in smb.conf:
 > [demo]
 >     path = /srv/samba/Demo
 >     read only = no
 >
 > The folder in the filesystem (XFS):
 > drwxr-xr-x   2 root root        6 13. Okt 22:16 /srv/samba/Demo
 >
 > I connect to the share as Domain Admin, right-click to it and go to the
 > "security" tab. Here I see now "everyone" and two
"root" entries.
 > - I click the "edit" button and remove the two "root"
entries. When I
 > click "apply", everything is reset (the two entries went
back".
 > - If i grant "modify" to "everyone" - where all
"allow" entries are
 > empty per default and click "apply", then all boxes are checked
 > automatically (full access) and "CREATOR OWNER" and
"CREATOR GROUP"
 > appear. And this two can't be removed as well any more.
 >
 >
 > If I do exactly the same on a DC, then already the security tab shows on
 > the first time I open it very different settings. The wiki screenshot
 > shows them:
 > http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). But
 > the folder on Linux side is also just 755 (and without any extended ACLs
 > when I begin). Also whatever I change (like remove "root" from
the ACLs)
 > everything is done like expected and saved.
 >
 >
 > The member server is also self compiled. I installed all packages on my
 > RHEL6 that I have installed on the DC too.
 >
 >
 > Any idea what could be different on a 4.x member than on a DC? Or did I
 > find a bug?
 >
 >
 > Regards
 > Marc