Oleg Cherkasov
2018-Aug-08 16:45 UTC
[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote: >> >> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7 >> installations started to ignore ACL settings and reject user access to >> shares. All three servers are members of DC running on Windows Server >> 2008R2. Everything has been running ok for last few year. I have >> been upgrading Samba and FreeBSD installations and on last Friday >> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7 >> and after restarting the services everything worked as expected. >>Have found the issue, it is audit or full_audit vfs. It seems if I remove 'vfs objects = full_audit' or 'vfs objects = audit' everything works as expected. So the next question security and vfs_full_audit have some issue :(>> [global] >> security = ADS >> workgroup = DOMAIN.LO >> realm = DOMAIN.LO >> password server = 10.54.148.9 >>...>> >> vfs objects = full_audit >> full_audit:prefix = %u|%m|%S >> full_audit:success = mkdir rmdir write pwrite rename unlink >> full_audit:failure = mkdir rmdir write pwrite rename unlink >> full_audit:facility = local5 >> full_audit:priority = infoDoes full_audit/audit works with ADS? With 'vfs objects = full_audit' shares report root, wheels and Everyone in Security Permissions rather actual ACL. Disabling full_audit immediately shows actual ACLs and I may update it as well.
Dante Colo
2018-Aug-08 20:30 UTC
[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
If you add to vfs module to a share you also have to explicit add acl_xattr , that's what i do when i want to add another module and keep acl_xattr on the same share, if i'm not doing right way someone correct me . ----- Original Message ----- From: "samba" <samba at lists.samba.org> To: "samba" <samba at lists.samba.org> Cc: "Oleg Cherkasov" <o1e9.cherkasov at yandex.com> Sent: Wednesday, August 8, 2018 1:45:23 PM Subject: Re: [Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL On 06. aug. 2018 16:37, Oleg Cherkasov via samba wrote:> On 06. aug. 2018 15:15, Oleg Cherkasov via samba wrote: >> >> This morning three of our FreeBSD-11.1-p11 servers with Samba 4.7.7 >> installations started to ignore ACL settings and reject user access to >> shares. All three servers are members of DC running on Windows Server >> 2008R2. Everything has been running ok for last few year. I have >> been upgrading Samba and FreeBSD installations and on last Friday >> upgraded to the latest packages from samba47-4.7.6 to samba47-4.7.7 >> and after restarting the services everything worked as expected. >>Have found the issue, it is audit or full_audit vfs. It seems if I remove 'vfs objects = full_audit' or 'vfs objects = audit' everything works as expected. So the next question security and vfs_full_audit have some issue :(>> [global] >> security = ADS >> workgroup = DOMAIN.LO >> realm = DOMAIN.LO >> password server = 10.54.148.9 >>...>> >> vfs objects = full_audit >> full_audit:prefix = %u|%m|%S >> full_audit:success = mkdir rmdir write pwrite rename unlink >> full_audit:failure = mkdir rmdir write pwrite rename unlink >> full_audit:facility = local5 >> full_audit:priority = infoDoes full_audit/audit works with ADS? With 'vfs objects = full_audit' shares report root, wheels and Everyone in Security Permissions rather actual ACL. Disabling full_audit immediately shows actual ACLs and I may update it as well. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Oleg Cherkasov
2018-Aug-09 09:53 UTC
[Samba] samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
On 08. aug. 2018 22:30, Dante Colo wrote:> > If you add to vfs module to a share you also have to explicit add acl_xattr , that's what i do when i want to add another module and keep acl_xattr on the same share, if i'm not doing right way someone correct me . >I am already have 'vfs objects = zfsacl' set for my ZFS shares so acl_xattr does not help at all. acl_xattr adds two more entries to the Security Permissions list: CREATOR OWNER and CREATOR GROUP. With out acl_xattr I have only: root, wheel and Everyone. If seems full_audit/audit vfs works with acl_xattr and do not handle zfsacl, or it may be the other way around of course.
Reasonably Related Threads
- samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
- samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
- samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
- samba 4.7.7 shares on FreeBSD 11.1-p11 started to ignore ACL
- widelinks_warning - but unix extensions *are* off