On 10/06/2019 08:51, Tom?? Havl?n wrote:> Hello > my smb.conf + working and no working ACL share folders > > [global] > netbios name = FENIX > realm = PFCZ.INTRA > server role = active directory domain controller > workgroup = PFCZ > idmap_ldb:use rfc2307 = yes > dns forwarder = 10.254.254.1 > > unix extensions = no > wide links = yes > follow symlinks = yes > bind interfaces only = yes > interfaces = lo eno1 > max log size = 150000 > > [netlogon] > path = /var/lib/samba/sysvol/pfcz.intra/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [share] - working VFS:recycle, original share > ? ? path = /mnt/data1/share > ? ? read only = no > > [XXX] - no working?VFS:recycle, testing share > ? ? path = /mnt/data1/XXX > ? ? read only = no > ? ? vfs object = recycle > ? ? recycle:repository = .deleted > ? ? recycle:keeptree = yes > ? ? recycle:touch = yes > ? ? recycle:version = yes > ? ? recycle:maxsize = 0 > ? ? recycle:exclude = *.tmp > ? ? recycle:exclude_dir = /tmp > >It looks to me that the VFS changes have caused this. You are using a DC as a fileserver, this isn't recommended for? a start. On a DC , 'vfs objects = acl_xattr' is set by default, this means that 'inherit acls = yes' is set and you do not have a 'recycle:directory_mode' line, so you will be using the default '0700'. Put this all together and what you are getting is correct, don't ask me why it worked before, but not now. It looks like it was actually wrong before but correct now ;-) Rowland
In the fact, I don't undestand. I have no problem with deleted files, and I have 700 on .deleted folder because I don't need to have users be able to open deleted folder with deleted files, it is only for me. If VFS:recycle is enabled, new created files on share folder (not .deleted folder, not deleted files) permission to this folder are limited by mask and owner is "root". Without VFS:recycle new created files have owner "user" and rights are fine. I tried to put recycle:directory_mode = 777 to smb.conf, but nothing changed. on XXX share getfacl vvv.txt # file: vvv.txt # owner: root # group: users user::rw- group::--- group:users:rwx #effective:r-- group:3000002:--- mask::r-- other::--- on original share # getfacl aaa.txt # file: aaa.txt # owner: 3000000 # group: users user::rwx user:root:rwx user:3000002:rwx user:3000004:rwx group::rwx group:users:rwx group:3000000:rwx group:3000002:rwx group:3000004:rwx mask::rwx other::--- ------ P?vodn? zpr?va ------ Od: "Rowland penny via samba" <samba at lists.samba.org> Komu: "sambalist" <samba at lists.samba.org> Odesl?no: 10.06.2019 10:32:39 P?edm?t: Re: [Samba] SAMBA AD VFS:Recycle bad permissions>On 10/06/2019 08:51, Tom?? Havl?n wrote: >>Hello >>my smb.conf + working and no working ACL share folders >> >>[global] >>netbios name = FENIX >>realm = PFCZ.INTRA >>server role = active directory domain controller >>workgroup = PFCZ >>idmap_ldb:use rfc2307 = yes >>dns forwarder = 10.254.254.1 >> >>unix extensions = no >>wide links = yes >>follow symlinks = yes >>bind interfaces only = yes >>interfaces = lo eno1 >>max log size = 150000 >> >>[netlogon] >>path = /var/lib/samba/sysvol/pfcz.intra/scripts >>read only = No >> >>[sysvol] >>path = /var/lib/samba/sysvol >>read only = No >> >>[share] - working VFS:recycle, original share >> path = /mnt/data1/share >> read only = no >> >>[XXX] - no working VFS:recycle, testing share >> path = /mnt/data1/XXX >> read only = no >> vfs object = recycle >> recycle:repository = .deleted >> recycle:keeptree = yes >> recycle:touch = yes >> recycle:version = yes >> recycle:maxsize = 0 >> recycle:exclude = *.tmp >> recycle:exclude_dir = /tmp >> >> >It looks to me that the VFS changes have caused this. > >You are using a DC as a fileserver, this isn't recommended for a start. > >On a DC , 'vfs objects = acl_xattr' is set by default, this means that 'inherit acls = yes' is set and you do not have a 'recycle:directory_mode' line, so you will be using the default '0700'. Put this all together and what you are getting is correct, don't ask me why it worked before, but not now. It looks like it was actually wrong before but correct now ;-) > >Rowland > > >-- To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
I had similiar issue on samba 4.8 domain member (new files with wrong permissions), when I realised that You need to list all modules that You wish to use in "vfs objects" every time , there is no inheritance from global -> shares that is if You have e.g. [global] ... vfs object = acl_xattr .. [some share] ... vfs object = recycle .. On samba DC "acl_xattr" is set by default, but setting vfs object in a specific share might override it (If I'm mistaken please someone correct me, but it seems to be the case). It means that in fact there is no "acl_xattr" set for [some share], and You have to change it to: vfs object = acl_xattr recycle (list all modules explicitly) In my case missing "acl_xattr" module was the reason for wrong file permissions in specific shares. All shares that had no "vfs object" set were working correctly, because they used settings form [global]. Regards, Kacper W dniu 10.06.2019 o?11:07, Tom?? Havl?n via samba pisze:> In the fact, I don't undestand. I have no problem with deleted files, > and I have 700 on .deleted folder because I don't need to have users > be able to open deleted folder with deleted files, it is only for me. > If VFS:recycle is enabled, new created files on share folder (not > .deleted folder, not deleted files) permission to this folder are > limited by mask and owner is "root". Without VFS:recycle new created > files have owner "user" and rights are fine. I tried to put > recycle:directory_mode = 777 to smb.conf, but nothing changed. > > on XXX share > getfacl vvv.txt > # file: vvv.txt > # owner: root > # group: users > user::rw- > group::--- > group:users:rwx #effective:r-- > group:3000002:--- > mask::r-- > other::--- > > > on original share > # getfacl aaa.txt > # file: aaa.txt > # owner: 3000000 > # group: users > user::rwx > user:root:rwx > user:3000002:rwx > user:3000004:rwx > group::rwx > group:users:rwx > group:3000000:rwx > group:3000002:rwx > group:3000004:rwx > mask::rwx > other::--- > > ------ P?vodn? zpr?va ------ > Od: "Rowland penny via samba" <samba at lists.samba.org> > Komu: "sambalist" <samba at lists.samba.org> > Odesl?no: 10.06.2019 10:32:39 > P?edm?t: Re: [Samba] SAMBA AD VFS:Recycle bad permissions > >> On 10/06/2019 08:51, Tom?? Havl?n wrote: >>> Hello >>> my smb.conf + working and no working ACL share folders >>> >>> [global] >>> netbios name = FENIX >>> realm = PFCZ.INTRA >>> server role = active directory domain controller >>> workgroup = PFCZ >>> idmap_ldb:use rfc2307 = yes >>> dns forwarder = 10.254.254.1 >>> >>> unix extensions = no >>> wide links = yes >>> follow symlinks = yes >>> bind interfaces only = yes >>> interfaces = lo eno1 >>> max log size = 150000 >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/pfcz.intra/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> [share] - working VFS:recycle, original share >>> ??? path = /mnt/data1/share >>> ??? read only = no >>> >>> [XXX] - no working VFS:recycle, testing share >>> ??? path = /mnt/data1/XXX >>> ??? read only = no >>> ??? vfs object = recycle >>> ??? recycle:repository = .deleted >>> ??? recycle:keeptree = yes >>> ??? recycle:touch = yes >>> ??? recycle:version = yes >>> ??? recycle:maxsize = 0 >>> ??? recycle:exclude = *.tmp >>> ??? recycle:exclude_dir = /tmp >>> >>> >> It looks to me that the VFS changes have caused this. >> >> You are using a DC as a fileserver, this isn't recommended for a start. >> >> On a DC , 'vfs objects = acl_xattr' is set by default, this means >> that 'inherit acls = yes' is set and you do not have a >> 'recycle:directory_mode' line, so you will be using the default >> '0700'. Put this all together and what you are getting is correct, >> don't ask me why it worked before, but not now. It looks like it was >> actually wrong before but correct now ;-) >> >> Rowland >> >> >> -- To unsubscribe from this list go to the following URL and read the >> instructions:? https://lists.samba.org/mailman/options/samba--- Ta wiadomo?? zosta?a sprawdzona na obecno?? wirus?w przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus