samba - Aug 2018 - samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL

On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:
> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote:
>>
>> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7 
>> installations started to ignore ACL settings and reject user access to 
>> shares.  All three servers are members of DC running on Windows Server 
>> 2008R2.  Everything has been running ok for last few year.  I have 
>> been upgrading Samba and FreeBSD installations and on last Friday 
>> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7 
>> and after restarting the services everything worked as expected.
>>
Have found the issue, it is audit or full_audit vfs.  It seems if I 
remove 'vfs objects = full_audit' or 'vfs objects = audit'
everything
works as expected.

So the next question security and vfs_full_audit have some issue :(
>> [global]
>>         security = ADS
>>         workgroup = DOMAIN.LO
>>         realm = DOMAIN.LO
>>         password server = 10.54.148.9
>>
...
>>
>>         vfs objects = full_audit
>>         full_audit:prefix = %u|%m|%S
>>         full_audit:success = mkdir rmdir write pwrite rename unlink
>>         full_audit:failure = mkdir rmdir write pwrite rename unlink
>>         full_audit:facility = local5
>>         full_audit:priority = info
Does full_audit/audit works with ADS?

With 'vfs objects = full_audit' shares report root, wheels and Everyone 
in Security Permissions rather actual ACL.  Disabling full_audit 
immediately shows actual ACLs and I may update it as well.

If you add to vfs module to a share you also have to explicit add acl_xattr ,
that's what i do when i want to add another module and keep acl_xattr on the
same share, if i'm not doing right way  someone correct me .



----- Original Message -----
From: "samba" <samba at lists.samba.org>
To: "samba" <samba at lists.samba.org>
Cc: "Oleg Cherkasov" <o1e9.cherkasov at yandex.com>
Sent: Wednesday, August 8, 2018 1:45:23 PM
Subject: Re: [Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore
ACL

On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:
> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote:
>>
>> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7 
>> installations started to ignore ACL settings and reject user access to 
>> shares.  All three servers are members of DC running on Windows Server 
>> 2008R2.  Everything has been running ok for last few year.  I have 
>> been upgrading Samba and FreeBSD installations and on last Friday 
>> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7 
>> and after restarting the services everything worked as expected.
>>
Have found the issue, it is audit or full_audit vfs.  It seems if I 
remove 'vfs objects = full_audit' or 'vfs objects = audit'
everything
works as expected.

So the next question security and vfs_full_audit have some issue :(
>> [global]
>>         security = ADS
>>         workgroup = DOMAIN.LO
>>         realm = DOMAIN.LO
>>         password server = 10.54.148.9
>>
...
>>
>>         vfs objects = full_audit
>>         full_audit:prefix = %u|%m|%S
>>         full_audit:success = mkdir rmdir write pwrite rename unlink
>>         full_audit:failure = mkdir rmdir write pwrite rename unlink
>>         full_audit:facility = local5
>>         full_audit:priority = info
Does full_audit/audit works with ADS?

With 'vfs objects = full_audit' shares report root, wheels and Everyone 
in Security Permissions rather actual ACL.  Disabling full_audit 
immediately shows actual ACLs and I may update it as well.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 08. aug. 2018 22:30, Dante Colo wrote:
> 
> If you add to vfs module to a share you also have to explicit add acl_xattr
, that's what i do when i want to add another module and keep acl_xattr on
the same share, if i'm not doing right way  someone correct me .
> 
I am already have 'vfs objects = zfsacl' set for my ZFS shares so 
acl_xattr does not help at all.  acl_xattr adds two more entries to the 
Security Permissions list: CREATOR OWNER and CREATOR GROUP.  With out 
acl_xattr I have only: root, wheel and Everyone.

If seems full_audit/audit vfs works with acl_xattr and do not handle 
zfsacl, or it may be the other way around of course.