samba - Dec 2019 - vfs_recycle disables permissions inheritance on AD DC shares

On 02/12/19 15:44, Rowland penny via samba wrote:
> On 02/12/2019 15:32, Sebastian Arcus via samba wrote:
>>
>> On 02/12/19 15:10, Rowland penny via samba wrote:
>>
>> Thank you for the quick reply. I should have mentioned that these
DC's
>> are at at different sites. At each site there is only one Linux server 
>> - hence why the DC is also the file server.
> Bad move, I would add a Unix domain member at each site, even if it is 
> in a VM, by the way, are you using 'sites' ?
I'm not sure what do you mean by 'sites'. They are a number of
different
physical sites, but they are independent small lan's, with no connection 
to each other, if that is the question? I have seen the advice in the 
wiki against using the DC as a file sharing server, but I am not clear 
as to why exactly that is a bad idea - and the wiki doesn't go into much 
detail. The servers certainly have performed very well for the past 3 
years or so. These are small networks, with around 10 clients each.

>> I'm afraid I'm not sufficiently familiar with vfs objects and
how they
>> work - I only used the configuration above based on the recommended 
>> configs in the wiki. Are you saying above that I could have configured 
>> the vfs recycle without using the "vfs objects = recycle"
line - that
>> it isn't actually necessary in order to activate the recycle bin?
> 
> No, I am saying that you have turned off the default vfs objects by just 
> specifying one.
> 
> You should have 'vfs objects = dfs_samba4 acl_xattr recycle'
Thank you very much for this - now it is working. This lack of 
permissions inheritance issue has been plaguing me for months - it is 
very useful to finally find what has been causing it. Would it be a good 
idea to add the information above somewhere in the wiki, in case others 
will face the same issue at some point?

Again, thank you for the quick replies.

On 12/2/19 10:24 AM, Sebastian Arcus via samba wrote:
> 
> On 02/12/19 15:44, Rowland penny via samba wrote:
>> On 02/12/2019 15:32, Sebastian Arcus via samba wrote:
snippity
>>
>> No, I am saying that you have turned off the default vfs objects by 
>> just specifying one.
>>
>> You should have 'vfs objects = dfs_samba4 acl_xattr recycle'
> 
> Thank you very much for this - now it is working. This lack of 
> permissions inheritance issue has been plaguing me for months - it is 
> very useful to finally find what has been causing it. Would it be a good 
> idea to add the information above somewhere in the wiki, in case others 
> will face the same issue at some point?
> 
> Again, thank you for the quick replies.
> 
The way I've handled this on software I've written (not samba) is to 
support the concept of +feature and -feature.  That is "add to 
defaults", "subtract from defaults".

If such a thing were supported, then:

vfs objects = +recycle

would not have nuked the default options.

Obviously things get tricky when using something like testparm to clean 
up and write out a clean smb.conf.  Likely you'd just explode things 
out, which might not be what you'd want, but might be the only way to 
make this realistic.

Just ideas...

On 02/12/2019 16:24, Sebastian Arcus via samba wrote:
>
> I'm not sure what do you mean by 'sites'. They are a number of 
> different physical sites, but they are independent small lan's, with 
> no connection to each other, if that is the question? I have seen the 
> advice in the wiki against using the DC as a file sharing server, but 
> I am not clear as to why exactly that is a bad idea - and the wiki 
> doesn't go into much detail. The servers certainly have performed very 
> well for the past 3 years or so. These are small networks, with around 
> 10 clients each.
>
For 'sites', see here: 
https://wiki.samba.org/index.php/Active_Directory_Sites

Basically, it is how you seem to be running AD, it just enforces it a 
bit more ;-)

Without 'sites' your clients could use the local DC, but they could also
any DC in your domain. With 'sites', they will use the local DC unless 
it has failed.

For more info, see here:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology
>> You should have 'vfs objects = dfs_samba4 acl_xattr recycle'
>
> Thank you very much for this - now it is working. This lack of 
> permissions inheritance issue has been plaguing me for months - it is 
> very useful to finally find what has been causing it. Would it be a 
> good idea to add the information above somewhere in the wiki, in case 
> others will face the same issue at some point?
You are probably correct, but where to put it ???

It doesn't help that the tool for checking the smb.conf on a DC, does this:

root at dc4:~# samba-tool testparm -v 2>/dev/null | grep 'vfs
objects'

 ??? vfs objects 
Whilst the old tool for checking a smb.conf does this:

root at dc4:~# testparm -v -s 2>/dev/null | grep 'vfs objects'
 ??? vfs objects = dfs_samba4 acl_xattr

And, no, I have no idea why the output is different ;-)

Rowland

On 02/12/19 16:53, Rowland penny via samba wrote:
> On 02/12/2019 16:24, Sebastian Arcus via samba wrote:
>>
>> I'm not sure what do you mean by 'sites'. They are a number
of
>> different physical sites, but they are independent small lan's,
with
>> no connection to each other, if that is the question? I have seen the 
>> advice in the wiki against using the DC as a file sharing server, but 
>> I am not clear as to why exactly that is a bad idea - and the wiki 
>> doesn't go into much detail. The servers certainly have performed
very
>> well for the past 3 years or so. These are small networks, with around 
>> 10 clients each.
>>
> For 'sites', see here: 
> https://wiki.samba.org/index.php/Active_Directory_Sites
Oh - I see what you mean now. Sorry - my fault - I shouldn't have used 
the word "site" - it just confused the conversation. These are
different
organisations, which have no connection to each other, and all networks 
are completely independent from each other. There is suppose to be no 
link or connection between them in any way (except that I happen to look 
after them all :-) ).

> 
> Basically, it is how you seem to be running AD, it just enforces it a 
> bit more ;-)
> 
> Without 'sites' your clients could use the local DC, but they could
also
> any DC in your domain. With 'sites', they will use the local DC
unless
> it has failed.
> 
> For more info, see here:
> 
>
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-active-directory-site-topology
</snip>

On 02/12/19 16:53, Rowland penny via samba wrote:
> On 02/12/2019 16:24, Sebastian Arcus via samba wrote:
>>
</snip>
> 
>>> You should have 'vfs objects = dfs_samba4 acl_xattr
recycle'
>>
>> Thank you very much for this - now it is working. This lack of 
>> permissions inheritance issue has been plaguing me for months - it is 
>> very useful to finally find what has been causing it. Would it be a 
>> good idea to add the information above somewhere in the wiki, in case 
>> others will face the same issue at some point?
> 
> You are probably correct, but where to put it ???
The following man page is the one I read several times when things 
started to get hairy and I narrowed things down to issues with vfs 
recycle - and where I was looking for some enlightening notes on the 
subject:

https://www.samba.org/samba/docs/current/man-html/vfs_recycle.8.html

Something along the lines of:

"vfs objects = recycle

Please note that the config line above will reset the vfs objects 
already configured, which can have unintended consequences, specially 
when Samba is configured in AD mode. To avoid this, the recycle module 
should be added to existing vfs objects (... with some suitable 
instructions on how to find out which existing vfs modules are 
configured by default, maybe)"

Maybe something like the above?
</snip>