samba - Oct 2019 - AD Member Server and 'vfs objects recycle' permission problems

Hi,

on our samba 4 domain member server we use the vfs objects module
'recycle'.
Unfortunately we ran into a strange permission problem with deleted
folders.

The newly created folders in the recycle folder have the wrong
permission. The deleted file(s) itself has the correct group (rw)
permissions.


The shares correct permissions:
getfacl Papierkorb/
# file: Papierkorb/
# owner: root
# group: somedom\\domain\040users
user::rwx
user:root:rwx
group::rwx
group:somedom\\domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:somedom\\domain\040users:rwx
default:mask::rwx
default:other::---

The subfolder that 'vfs modules' created in the recycle share:
/srv/www/htdocs/Papierkorb # ll
insgesamt 0
drwxr-x---+ 1 somedom\fuhs somedom\domain users 16 22. Okt 11:39
deleteme

getfacl deleteme/
# file: deleteme/
# owner: somedom\\fuhs
# group: somedom\\domain\040users
user::rwx
user:root:rwx				   #effective:r-x
group::---
group:somedom\\domain\040users:rwx   #effective:r-x
mask::r-x
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:somedom\\domain\040users:rwx
default:mask::rwx
default:other::---

The problem here is the 'mask::r-x'. This steals the 'w' flag
from
default:group:somedom\\domain\040users:rwx
Therefore a new deleted file from another user of the group Domain
Users, can't be created in the recycle share.

Every try to manipulate the mask with recycle:directory_mode = 0777 and
recycle:subdir_mode = 0777 has no effect.
We tried different inherit settings:

 inherit acls = Yes
 inherit owner = Yes
 inherit permissions = Yes
 
Samba Version: 4.9.5-git.187.71edee57d5alp151.2.6.1-SUSE-oS15.0-x86_64

smb.conf

[global]
	    security = ADS
	    workgroup = somedom
	    realm = somedom.NET
	    usershare path 	    idmap config * : backend = tdb
	    idmap config * : range = 100000-999999
	    idmap config somedom:backend = ad
	    idmap config somedom:schema_mode = rfc2307
	    idmap config somedom:range = 500-99999
	    idmap config somedom:unix_nss_info = yes

	    map acl inherit = yes
	    store dos attributes = yes

	    # Template settings for login shell and home directory
	    template shell = /bin/bash

	    username map = /etc/samba/user.map
	    winbind enum users = yes
	    winbind enum groups = yes
	    acl allow execute always = True


	    # cups abstellen
	    printing = bsd
	    load printers = no
	    printcap name = /dev/null
	    disable spoolss = yes
	    show add printer wizard = no

	    log level = 1

[test]
	    vfs objects = acl_xattr recycle
	    comment = Test share
	    path = /srv/www/htdocs/testshare
	    read only = No

	    # Audit und Papierkorb
	    recycle:repository = /srv/www/htdocs/Papierkorb
	    recycle:keeptree = Yes
  recycle:subdir_mode = 0777
	    recycle:directory_mode = 0777
	    # test with 2777
  #recycle:subdir_mode = 2777
	    #recycle:directory_mode = 2777

[Papierkorb]
	    vfs objects = acl_xattr
	    comment = Papierkorb Serververzeichnisse
	    path = /srv/www/htdocs/Papierkorb

	    guest ok = No
	    read only = No
	    browsable = Yes

Any help would be appreciated.

Chris

No one?
>>> Christoph Fuhs via samba <samba at lists.samba.org>
23.10.2019 10:55
>>>
Hi,

on our samba 4 domain member server we use the vfs objects module
'recycle'.
Unfortunately we ran into a strange permission problem with deleted
folders.

The newly created folders in the recycle folder have the wrong
permission. The deleted file(s) itself has the correct group (rw)
permissions.


The shares correct permissions:
getfacl Papierkorb/
# file: Papierkorb/
# owner: root
# group: somedom\\domain\040users
user::rwx
user:root:rwx
group::rwx
group:somedom\\domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:somedom\\domain\040users:rwx
default:mask::rwx
default:other::---

The subfolder that 'vfs modules' created in the recycle share:
/srv/www/htdocs/Papierkorb # ll
insgesamt 0
drwxr-x---+ 1 somedom\fuhs somedom\domain users 16 22. Okt 11:39
deleteme

getfacl deleteme/
# file: deleteme/
# owner: somedom\\fuhs
# group: somedom\\domain\040users
user::rwx
user:root:rwx				   #effective:r-x
group::---
group:somedom\\domain\040users:rwx   #effective:r-x
mask::r-x
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:somedom\\domain\040users:rwx
default:mask::rwx
default:other::---

The problem here is the 'mask::r-x'. This steals the 'w' flag
from
default:group:somedom\\domain\040users:rwx
Therefore a new deleted file from another user of the group Domain
Users, can't be created in the recycle share.

Every try to manipulate the mask with recycle:directory_mode = 0777
and
recycle:subdir_mode = 0777 has no effect.
We tried different inherit settings:

inherit acls = Yes
inherit owner = Yes
inherit permissions = Yes
Samba Version: 4.9.5-git.187.71edee57d5alp151.2.6.1-SUSE-oS15.0-x86_64

smb.conf

[global]
	    security = ADS
	    workgroup = somedom
	    realm = somedom.NET
	    usershare path 	    idmap config * : backend = tdb
	    idmap config * : range = 100000-999999
	    idmap config somedom:backend = ad
	    idmap config somedom:schema_mode = rfc2307
	    idmap config somedom:range = 500-99999
	    idmap config somedom:unix_nss_info = yes

	    map acl inherit = yes
	    store dos attributes = yes

	    # Template settings for login shell and home directory
	    template shell = /bin/bash

	    username map = /etc/samba/user.map
	    winbind enum users = yes
	    winbind enum groups = yes
	    acl allow execute always = True


	    # cups abstellen
	    printing = bsd
	    load printers = no
	    printcap name = /dev/null
	    disable spoolss = yes
	    show add printer wizard = no

	    log level = 1

[test]
	    vfs objects = acl_xattr recycle
	    comment = Test share
	    path = /srv/www/htdocs/testshare
	    read only = No

	    # Audit und Papierkorb
	    recycle:repository = /srv/www/htdocs/Papierkorb
	    recycle:keeptree = Yes
  recycle:subdir_mode = 0777
	    recycle:directory_mode = 0777
	    # test with 2777
  #recycle:subdir_mode = 2777
	    #recycle:directory_mode = 2777

[Papierkorb]
	    vfs objects = acl_xattr
	    comment = Papierkorb Serververzeichnisse
	    path = /srv/www/htdocs/Papierkorb

	    guest ok = No
	    read only = No
	    browsable = Yes

Any help would be appreciated.

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba