Peter Eriksson
2019-Feb-27 15:53 UTC
[Samba] Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled
We just noticed an interesting bug/misfeature on our Samba 4.9.4 servers (FreeBSD 11.2). The same effect is also visible on Samba 4.8.3 on CentOS 7. Start with a directory that looks like this: root at filur00:/tmp/test # ls -la total 50 drwxrwx--- 2 peter86 uf-iti-all 3 Feb 27 11:27 . drwxrwxrwt 10 root wheel 56 Feb 27 16:41 .. -rw-rw---- 1 mikha02 uf-iti-all 6 Feb 27 11:27 hello.txt Ie, no ACLs, just “pure” Unix permission bits. Share it as usual via smb.conf. With a smb.conf file with any “vfs objects” enabled (doesn’t matter which, or even with an empty list): vfs objects = ;; empty list vfs objects = shadow_copy2 zfsacl full_audit Then if you (from a Windows machine) look at the file's Properties -> Security you will find that the Write access for the Group entry has been removed from the ACL list displayed (and Samba will give Windows users access errors when they try to write to that file). With a smb.conf file without a “vfs objects” line you will correctly get the right Write Access for the Group in the ACL. It feels like having any “vfs objects” config line removes some kind of default VFS module that does something that it should call instead of calling it last…. - Peter
Rowland Penny
2019-Feb-27 16:17 UTC
[Samba] Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled
On Wed, 27 Feb 2019 16:53:48 +0100 Peter Eriksson via samba <samba at lists.samba.org> wrote:> We just noticed an interesting bug/misfeature on our Samba 4.9.4 > servers (FreeBSD 11.2). The same effect is also visible on Samba > 4.8.3 on CentOS 7. > > Start with a directory that looks like this: > > root at filur00:/tmp/test # ls -la > total 50 > drwxrwx--- 2 peter86 uf-iti-all 3 Feb 27 11:27 . > drwxrwxrwt 10 root wheel 56 Feb 27 16:41 .. > -rw-rw---- 1 mikha02 uf-iti-all 6 Feb 27 11:27 hello.txt > > Ie, no ACLs, just “pure” Unix permission bits. Share it as usual via > smb.conf. > > > With a smb.conf file with any “vfs objects” enabled (doesn’t matter > which, or even with an empty list): > > vfs objects = ;; empty list > vfs objects = shadow_copy2 zfsacl full_audit > > Then if you (from a Windows machine) look at the file's Properties -> > Security you will find that the Write access for the Group entry has > been removed from the ACL list displayed (and Samba will give Windows > users access errors when they try to write to that file). > > > With a smb.conf file without a “vfs objects” line you will correctly > get the right Write Access for the Group in the ACL. > > > It feels like having any “vfs objects” config line removes some kind > of default VFS module that does something that it should call instead > of calling it last…. > > - Peter > >Would this be on a DC ? If so, you are removing the default vfs objects. and this is a known 'problem' Rowland
Peter Eriksson
2019-Feb-27 19:58 UTC
[Samba] Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled
> Would this be on a DC ? > If so, you are removing the default vfs objects. and this is a known > ‘problem'Not on a DC - this is on AD member fileserver(s) It’s not a ‘problem’. It’s a _problem_. If you can’t add 'vfs objects’ without the default built-in module getting lost then how is that supposed to work at all? I’ve tried looking at the source code to see if there is some kind of default module one could load manually but it seems to be built-in. We need the zfsacl (for files/dirs with ZFS ACLs), shadow_copy2 (for snapshots/previous versions) & full_audit modules, but also the default built-in stuff to work (for cases where users have files/dirs without ACLs set)... Ah well, back to reading the source code again. - Peter> On 27 Feb 2019, at 17:17, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Wed, 27 Feb 2019 16:53:48 +0100 > Peter Eriksson via samba <samba at lists.samba.org> wrote: > >> We just noticed an interesting bug/misfeature on our Samba 4.9.4 >> servers (FreeBSD 11.2). The same effect is also visible on Samba >> 4.8.3 on CentOS 7. >> >> Start with a directory that looks like this: >> >> root at filur00:/tmp/test # ls -la >> total 50 >> drwxrwx--- 2 peter86 uf-iti-all 3 Feb 27 11:27 . >> drwxrwxrwt 10 root wheel 56 Feb 27 16:41 .. >> -rw-rw---- 1 mikha02 uf-iti-all 6 Feb 27 11:27 hello.txt >> >> Ie, no ACLs, just “pure” Unix permission bits. Share it as usual via >> smb.conf. >> >> >> With a smb.conf file with any “vfs objects” enabled (doesn’t matter >> which, or even with an empty list): >> >> vfs objects = ;; empty list >> vfs objects = shadow_copy2 zfsacl full_audit >> >> Then if you (from a Windows machine) look at the file's Properties -> >> Security you will find that the Write access for the Group entry has >> been removed from the ACL list displayed (and Samba will give Windows >> users access errors when they try to write to that file). >> >> >> With a smb.conf file without a “vfs objects” line you will correctly >> get the right Write Access for the Group in the ACL. >> >> >> It feels like having any “vfs objects” config line removes some kind >> of default VFS module that does something that it should call instead >> of calling it last…. >> >> - Peter >> >> > > Would this be on a DC ? > If so, you are removing the default vfs objects. and this is a known > 'problem' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled
- Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled
- VFS shadowcopy2 with FeeBSD & ZFS
- Can one set the owner of a folder to BUILTIN\Administrators?
- FreeBSD, Libmd5, samba 4.9.4 & "smbclient -L" (using password) -> core dump