samba - Jun 2019 - Problems with inconsistent ACL inheritance and permissions after Samba upgrade

On 11/06/19 11:49, Rowland penny via samba wrote:
> On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>>
>> On 11/06/19 11:07, Rowland penny via samba wrote:
>>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>>> I've just upgraded a Samba AD server to 4.10.2 a few weeks
ago from
>>>> 4.x (I'm afraid I'm not sure the exact earlier version)
- and since
>>>> then I just haven't managed to pin down the file
permissions and
>>>> inheritance on the shares as it's been constantly causing
issues.
>>>> This server is both a file server and a AD DC.
>>>>
>>>> The current problem I am facing is the permissions of the lock
file
>>>> generated by Microsoft Access (.ldb). The Access database is on
the
>>>> server share. When one Windows client opens it, the .ldb file
is
>>>> created with group write permission (-rw-rw----). But when it
is
>>>> opened from another Windows machine, the .ldb file is created
with
>>>> group read-only permissions (-rw-r-----) - which locks other
users
>>>> out. There seems to be a mask applied, but I have no idea where
is
>>>> it coming from. Both client machines are Windows 7 - I just
can't
>>>> figure out the reason. It used to work fine before the Samba 
>>>> upgrade. The wrong acl's for the .ldb file look like this:
>>>>
>>>> # file: praxis_be.ldb
>>>> # owner: HEBI\\user1
>>>> # group: HEBI\\domain\040users
>>>> user::rw-
>>>> user:root:rwx??????????? #effective:r--
>>>> group::rwx??????????? #effective:r--
>>>> group:HEBI\\domain\040users:rwx??? #effective:r--
>>>> group:HEBI\\domain\040computers:r-x??? #effective:r--
>>>> mask::r--
>>>> other::---
>>>>
>>>>
>>>> What I've tried:
>>>>
>>>> 1. I have set and reset the acl's on the Linux side for the
share
>>>> and parent dir (the lock file is in the root of the network
share) -
>>>> and made sure it doesn't have a mask:
>>>
>>> You should stop doing this, as it is a DC, you need to set the 
>>> permissions from Windows, see here:
>>>
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>
>> Thank you for the quick answer. I should have mentioned that I tried 
>> that as well. Could you confirm if "inherit acls" and
"create mask"
>> and "directory mask" should still apply to Samba in AD mode
any more -
>> or not?
>>
>>
> Your share on the DC should only be this:
> 
> [praxis]
> path = /srv/samba/praxis
> read only = No
> 
> You shouldn't add anything else, it has always been this way on a DC.
Yes - that's what I read in the docs - and that's what I started with. 
But that's when I don't get the expected ACL inheritance. I just trimmed
the share definition down again to the above, and when I created a dir, 
the mask kicks in again:

# file: test3
# owner: root
# group: HEBI\\domain\040users
# flags: -s-
user::rwx
user:root:rwx			#effective:r-x
user:3000017:r-x
group::rwx			#effective:r-x
group:HEBI\\domain\040users:rwx	#effective:r-x
group:HEBI\\domain\040computers:r-x
mask::r-x
other::---
default:user::rwx
default:user:root:rwx
default:user:3000017:r-x
default:group::rwx
default:group:HEBI\\domain\040users:rwx
default:group:HEBI\\domain\040computers:r-x
default:mask::rwx
default:other::---


Is the mask coming from the local Linux filesystem umask? If yes, 
shouldn't the ACL's supersede it?
> I think it might help if you posted the global part of the smb.conf
Sure:


[global]
bind interfaces only = Yes
interfaces = lo eth1 tun0 tun1
netbios name = HEBI-SERVER
realm = HEBI.LAN
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
workgroup = HEBI
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
comment 
log file = /var/log/samba/%m.log
max log size = 1000

mangling method = hash2
mangle prefix = 6
reset on zero vc = yes
deadtime = 10


load printers = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork

On 11/06/2019 13:13, Sebastian Arcus via samba wrote:
>
> On 11/06/19 11:49, Rowland penny via samba wrote:
>> On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>>>
>>> On 11/06/19 11:07, Rowland penny via samba wrote:
>>>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>>>> I've just upgraded a Samba AD server to 4.10.2 a few
weeks ago
>>>>> from 4.x (I'm afraid I'm not sure the exact earlier
version) - and
>>>>> since then I just haven't managed to pin down the file
permissions
>>>>> and inheritance on the shares as it's been constantly
causing
>>>>> issues. This server is both a file server and a AD DC.
>>>>>
>>>>> The current problem I am facing is the permissions of the
lock
>>>>> file generated by Microsoft Access (.ldb). The Access
database is
>>>>> on the server share. When one Windows client opens it, the
.ldb
>>>>> file is created with group write permission (-rw-rw----).
But when
>>>>> it is opened from another Windows machine, the .ldb file is
>>>>> created with group read-only permissions (-rw-r-----) -
which
>>>>> locks other users out. There seems to be a mask applied,
but I
>>>>> have no idea where is it coming from. Both client machines
are
>>>>> Windows 7 - I just can't figure out the reason. It used
to work
>>>>> fine before the Samba upgrade. The wrong acl's for the
.ldb file
>>>>> look like this:
>>>>>
>>>>> # file: praxis_be.ldb
>>>>> # owner: HEBI\\user1
>>>>> # group: HEBI\\domain\040users
>>>>> user::rw-
>>>>> user:root:rwx??????????? #effective:r--
>>>>> group::rwx??????????? #effective:r--
>>>>> group:HEBI\\domain\040users:rwx??? #effective:r--
>>>>> group:HEBI\\domain\040computers:r-x??? #effective:r--
>>>>> mask::r--
>>>>> other::---
>>>>>
>>>>>
>>>>> What I've tried:
>>>>>
>>>>> 1. I have set and reset the acl's on the Linux side for
the share
>>>>> and parent dir (the lock file is in the root of the network
share)
>>>>> - and made sure it doesn't have a mask:
>>>>
>>>> You should stop doing this, as it is a DC, you need to set the 
>>>> permissions from Windows, see here:
>>>>
>>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>
>>> Thank you for the quick answer. I should have mentioned that I
tried
>>> that as well. Could you confirm if "inherit acls" and
"create mask"
>>> and "directory mask" should still apply to Samba in AD
mode any more
>>> - or not?
>>>
>>>
>> Your share on the DC should only be this:
>>
>> [praxis]
>> path = /srv/samba/praxis
>> read only = No
>>
>> You shouldn't add anything else, it has always been this way on a
DC.
>
> Yes - that's what I read in the docs - and that's what I started
with.
> But that's when I don't get the expected ACL inheritance. I just 
> trimmed the share definition down again to the above, and when I 
> created a dir, the mask kicks in again:
>
> # file: test3
> # owner: root
> # group: HEBI\\domain\040users
> # flags: -s-
> user::rwx
> user:root:rwx??????????? #effective:r-x
> user:3000017:r-x
> group::rwx??????????? #effective:r-x
> group:HEBI\\domain\040users:rwx??? #effective:r-x
> group:HEBI\\domain\040computers:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000017:r-x
> default:group::rwx
> default:group:HEBI\\domain\040users:rwx
> default:group:HEBI\\domain\040computers:r-x
> default:mask::rwx
> default:other::---
>
>
> Is the mask coming from the local Linux filesystem umask? If yes, 
> shouldn't the ACL's supersede it?
>
>> I think it might help if you posted the global part of the smb.conf
>
> Sure:
>
>
> [global]
> bind interfaces only = Yes
> interfaces = lo eth1 tun0 tun1
> netbios name = HEBI-SERVER
> realm = HEBI.LAN
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
> workgroup = HEBI
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> comment >
> log file = /var/log/samba/%m.log
> max log size = 1000
>
> mangling method = hash2
> mangle prefix = 6
> reset on zero vc = yes
> deadtime = 10
>
>
> load printers = yes
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
>
Would it help if I told you that you are reading the wrong permissions ?

They are stored in an extended attr:

root at dc4:~# getfattr -n security.NTACL -d /srv/samba/Demo/
getfattr: Removing leading '/' from absolute path names
# file: srv/samba/Demo/
security.NTACL=0sAwADAAAAAgAEAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAScZAAAAIAAAAAAAAAAnAAAAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P/QBAAABBQAAAAAABRUAAABJJWZpmd47xzE4eT9KCAAAAgCMAAUAAAAACxQAqQASAAEBAAAAAAABAAAAAAALFAD/AR8AAQEAAAAAAAMAAAAAAAsUAKkAEgABAQAAAAAAAwEAAAAAAyQAvwESAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5PwECAAAAAyQA/wEfAAEFAAAAAAAFFQAAAEklZmmZ3jvHMTh5P0oIAAA
Not very readable, but:

root at dc4:~# samba-tool ntacl get /srv/samba/Demo --as-sddl
O:LAG:S-1-5-21-1768301897-3342589593-1064908849-2122D:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-2122)(A;;0x001f01ff;;;S-1-5-21-1768301897-3342589593-1064908849-2122)(A;;0x001f01ff;;;LA)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)

Rowland

On 11/06/19 13:29, Rowland penny via samba wrote:
> On 11/06/2019 13:13, Sebastian Arcus via samba wrote:
>>
>> On 11/06/19 11:49, Rowland penny via samba wrote:
>>> On 11/06/2019 11:38, Sebastian Arcus via samba wrote:
>>>>
>>>> On 11/06/19 11:07, Rowland penny via samba wrote:
>>>>> On 11/06/2019 10:34, Sebastian Arcus via samba wrote:
>>>>>> I've just upgraded a Samba AD server to 4.10.2 a
few weeks ago
>>>>>> from 4.x (I'm afraid I'm not sure the exact
earlier version) - and
>>>>>> since then I just haven't managed to pin down the
file permissions
>>>>>> and inheritance on the shares as it's been
constantly causing
>>>>>> issues. This server is both a file server and a AD DC.
>>>>>>
>>>>>> The current problem I am facing is the permissions of
the lock
>>>>>> file generated by Microsoft Access (.ldb). The Access
database is
>>>>>> on the server share. When one Windows client opens it,
the .ldb
>>>>>> file is created with group write permission
(-rw-rw----). But when
>>>>>> it is opened from another Windows machine, the .ldb
file is
>>>>>> created with group read-only permissions (-rw-r-----) -
which
>>>>>> locks other users out. There seems to be a mask
applied, but I
>>>>>> have no idea where is it coming from. Both client
machines are
>>>>>> Windows 7 - I just can't figure out the reason. It
used to work
>>>>>> fine before the Samba upgrade. The wrong acl's for
the .ldb file
>>>>>> look like this:
>>>>>>
>>>>>> # file: praxis_be.ldb
>>>>>> # owner: HEBI\\user1
>>>>>> # group: HEBI\\domain\040users
>>>>>> user::rw-
>>>>>> user:root:rwx??????????? #effective:r--
>>>>>> group::rwx??????????? #effective:r--
>>>>>> group:HEBI\\domain\040users:rwx??? #effective:r--
>>>>>> group:HEBI\\domain\040computers:r-x??? #effective:r--
>>>>>> mask::r--
>>>>>> other::---
>>>>>>
>>>>>>
>>>>>> What I've tried:
>>>>>>
>>>>>> 1. I have set and reset the acl's on the Linux side
for the share
>>>>>> and parent dir (the lock file is in the root of the
network share)
>>>>>> - and made sure it doesn't have a mask:
>>>>>
>>>>> You should stop doing this, as it is a DC, you need to set
the
>>>>> permissions from Windows, see here:
>>>>>
>>>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>>>>
>>>> Thank you for the quick answer. I should have mentioned that I
tried
>>>> that as well. Could you confirm if "inherit acls" and
"create mask"
>>>> and "directory mask" should still apply to Samba in
AD mode any more
>>>> - or not?
>>>>
>>>>
>>> Your share on the DC should only be this:
>>>
>>> [praxis]
>>> path = /srv/samba/praxis
>>> read only = No
>>>
>>> You shouldn't add anything else, it has always been this way on
a DC.
>>
>> Yes - that's what I read in the docs - and that's what I
started with.
>> But that's when I don't get the expected ACL inheritance. I
just
>> trimmed the share definition down again to the above, and when I 
>> created a dir, the mask kicks in again:
>>
>> # file: test3
>> # owner: root
>> # group: HEBI\\domain\040users
>> # flags: -s-
>> user::rwx
>> user:root:rwx??????????? #effective:r-x
>> user:3000017:r-x
>> group::rwx??????????? #effective:r-x
>> group:HEBI\\domain\040users:rwx??? #effective:r-x
>> group:HEBI\\domain\040computers:r-x
>> mask::r-x
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000017:r-x
>> default:group::rwx
>> default:group:HEBI\\domain\040users:rwx
>> default:group:HEBI\\domain\040computers:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> Is the mask coming from the local Linux filesystem umask? If yes, 
>> shouldn't the ACL's supersede it?
>>
>>> I think it might help if you posted the global part of the smb.conf
>>
>> Sure:
>>
>>
>> [global]
>> bind interfaces only = Yes
>> interfaces = lo eth1 tun0 tun1
>> netbios name = HEBI-SERVER
>> realm = HEBI.LAN
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>> winbindd, ntp_signd, kcc, dnsupdate
>> workgroup = HEBI
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> comment >>
>> log file = /var/log/samba/%m.log
>> max log size = 1000
>>
>> mangling method = hash2
>> mangle prefix = 6
>> reset on zero vc = yes
>> deadtime = 10
>>
>>
>> load printers = yes
>> rpc_server:spoolss = external
>> rpc_daemon:spoolssd = fork
>>
> Would it help if I told you that you are reading the wrong permissions ?
That kind of helps, in the sense that I never realised that there are 
two sets of ACL's stored in two different places. I have just re-read 
for the n-th time the 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
and I'm still trying to get my head around it. I guess that means the 
real permissions (seen on the Windows side) are made up of Linux ACL's 
*plus* the extended attributes stored by Samba elsewhere?

Also, it doesn't quite solve the problem, as the "Domain Users"
still
gets no permissions whatsoever when creating new dirs, in spite of the 
fact that the parent dir has full permissions for "Domain Users" (on
the
Windows side).