samba - Jul 2016 - permission problem with vfs object recycle:directory_mode

Well,

Despite I've recently answered about vfs  object recycle on this list, 
it seems that it isn't working as excepted.

Using Samba 4.4.5, compiled from sources

Here is the conf for a share:
[musique]
         path = /media/data/musique
         read only = No
         vfs objects = acl_xattr recycle
         recycle:directory_mode = 0770
         recycle:subdir_mode = 0700
         recycle:versions = Yes
         recycle:keeptree = Yes
         recycle:touch = Yes
         recycle:repository = .recycle
         full_audit:prefix = %U|%I|%S
         full_audit:success = connect disconnect mkdir rmdir open read 
write rename opendir unlink
         full_audit:failure = open write mkdir rmdir rename unlink
         full_audit:facility = local5
         full_audit:priority = NOTICE


recycle:directory_mode parameter is NEVER applied to the .recycle 
directory, default 0700 is ALWAYS applied (whatever value is set to 
recycle:directory_mode).

Tested several times by :
modify smb.conf
killall samba
/usr/local/samba/sbin/samba

Thanks in advance for for help.

Nicolas

(It turns out that only the first user who deletes a file has access to 
.recycle, files deleted by other users are unlinked, manually setting 
0770 perms on .recycle makes it working as expected)

On 23/07/16 07:58, Nicolas wrote:
> Well,
>
> Despite I've recently answered about vfs  object recycle on this list, 
> it seems that it isn't working as excepted.
>
> Using Samba 4.4.5, compiled from sources
>
> Here is the conf for a share:
> [musique]
>         path = /media/data/musique
>         read only = No
>         vfs objects = acl_xattr recycle
>         recycle:directory_mode = 0770
>         recycle:subdir_mode = 0700
>         recycle:versions = Yes
>         recycle:keeptree = Yes
>         recycle:touch = Yes
>         recycle:repository = .recycle
>         full_audit:prefix = %U|%I|%S
>         full_audit:success = connect disconnect mkdir rmdir open read 
> write rename opendir unlink
>         full_audit:failure = open write mkdir rmdir rename unlink
>         full_audit:facility = local5
>         full_audit:priority = NOTICE
>
>
> recycle:directory_mode parameter is NEVER applied to the .recycle 
> directory, default 0700 is ALWAYS applied (whatever value is set to 
> recycle:directory_mode).
>
> Tested several times by :
> modify smb.conf
> killall samba
> /usr/local/samba/sbin/samba
>
> Thanks in advance for for help.
>
> Nicolas
>
> (It turns out that only the first user who deletes a file has access 
> to .recycle, files deleted by other users are unlinked, manually 
> setting 0770 perms on .recycle makes it working as expected)
>
>
>

OK, just tested this on a DC (which is what you must be using as you are 
starting the 'samba' binary) and it works for me.
The .recycle bin gets created with 'drwxrwx---' permissions and whilst 
the owner/group is 'SAMDOM\rowland SAMDOM\domain users', because the 
group permissions are 'rwx' any users should be able to use it.

The only differences between my setup and the one you posted are, I 
didn't use the 'full_audit' lines and I didn't use the totally
unneeded
'acl_xattr' option to 'vfs objects'. You only need this on a
domain member.

Rowland

On 23/07/2016 20:02, Rowland penny wrote:
> On 23/07/16 07:58, Nicolas wrote:
>> Well,
>>
>> Despite I've recently answered about vfs  object recycle on this 
>> list, it seems that it isn't working as excepted.
>>
>> Using Samba 4.4.5, compiled from sources
>>
>> Here is the conf for a share:
>> [musique]
>>         path = /media/data/musique
>>         read only = No
>>         vfs objects = acl_xattr recycle
>>         recycle:directory_mode = 0770
>>         recycle:subdir_mode = 0700
>>         recycle:versions = Yes
>>         recycle:keeptree = Yes
>>         recycle:touch = Yes
>>         recycle:repository = .recycle
>>         full_audit:prefix = %U|%I|%S
>>         full_audit:success = connect disconnect mkdir rmdir open read 
>> write rename opendir unlink
>>         full_audit:failure = open write mkdir rmdir rename unlink
>>         full_audit:facility = local5
>>         full_audit:priority = NOTICE
>>
>>
>> recycle:directory_mode parameter is NEVER applied to the .recycle 
>> directory, default 0700 is ALWAYS applied (whatever value is set to 
>> recycle:directory_mode).
>>
>> Tested several times by :
>> modify smb.conf
>> killall samba
>> /usr/local/samba/sbin/samba
>>
>> Thanks in advance for for help.
>>
>> Nicolas
>>
>> (It turns out that only the first user who deletes a file has access 
>> to .recycle, files deleted by other users are unlinked, manually 
>> setting 0770 perms on .recycle makes it working as expected)
>>
>>
>>
>
>
> OK, just tested this on a DC (which is what you must be using as you 
> are starting the 'samba' binary) and it works for me.
> The .recycle bin gets created with 'drwxrwx---' permissions and
whilst
> the owner/group is 'SAMDOM\rowland SAMDOM\domain users', because
the
> group permissions are 'rwx' any users should be able to use it.
>
> The only differences between my setup and the one you posted are, I 
> didn't use the 'full_audit' lines and I didn't use the
totally
> unneeded 'acl_xattr' option to 'vfs objects'. You only need
this on a
> domain member.
>
> Rowland
>
>
Thanks Roland,
 From tests, it is the
> totally unneeded 'acl_xattr' option to 'vfs objects'
That causes this problem.
(By the way, it is not a 700 permission that is applied but a 750)
Thanks again !
Nicolas