samba - Dec 2019 - vfs_recycle disables permissions inheritance on AD DC shares

On 02/12/19 16:53, Rowland penny via samba wrote:
> On 02/12/2019 16:24, Sebastian Arcus via samba wrote:
>>
</snip>
> 
>>> You should have 'vfs objects = dfs_samba4 acl_xattr
recycle'
>>
>> Thank you very much for this - now it is working. This lack of 
>> permissions inheritance issue has been plaguing me for months - it is 
>> very useful to finally find what has been causing it. Would it be a 
>> good idea to add the information above somewhere in the wiki, in case 
>> others will face the same issue at some point?
> 
> You are probably correct, but where to put it ???
The following man page is the one I read several times when things 
started to get hairy and I narrowed things down to issues with vfs 
recycle - and where I was looking for some enlightening notes on the 
subject:

https://www.samba.org/samba/docs/current/man-html/vfs_recycle.8.html

Something along the lines of:

"vfs objects = recycle

Please note that the config line above will reset the vfs objects 
already configured, which can have unintended consequences, specially 
when Samba is configured in AD mode. To avoid this, the recycle module 
should be added to existing vfs objects (... with some suitable 
instructions on how to find out which existing vfs modules are 
configured by default, maybe)"

Maybe something like the above?
</snip>

On 02/12/2019 17:17, Sebastian Arcus via samba wrote:
>
> On 02/12/19 16:53, Rowland penny via samba wrote:
>> On 02/12/2019 16:24, Sebastian Arcus via samba wrote:
>>>
>
> </snip>
>
>>
>>>> You should have 'vfs objects = dfs_samba4 acl_xattr
recycle'
>>>
>>> Thank you very much for this - now it is working. This lack of 
>>> permissions inheritance issue has been plaguing me for months - it 
>>> is very useful to finally find what has been causing it. Would it
be
>>> a good idea to add the information above somewhere in the wiki, in 
>>> case others will face the same issue at some point?
>>
>> You are probably correct, but where to put it ???
>
> The following man page is the one I read several times when things 
> started to get hairy and I narrowed things down to issues with vfs 
> recycle - and where I was looking for some enlightening notes on the 
> subject:
>
> https://www.samba.org/samba/docs/current/man-html/vfs_recycle.8.html
>
> Something along the lines of:
>
> "vfs objects = recycle
>
> Please note that the config line above will reset the vfs objects 
> already configured, which can have unintended consequences, specially 
> when Samba is configured in AD mode. To avoid this, the recycle module 
> should be added to existing vfs objects (... with some suitable 
> instructions on how to find out which existing vfs modules are 
> configured by default, maybe)"
>
> Maybe something like the above?
> </snip>
>
Possibly for 'recycle', but this would happen for any 'vfs
object' added
to a DC that didn't list the defaults (it also applies to Unix domain 
members, where listing 'vfs objects' in a share, overrides any set in 
[global])

Rowland

On 02/12/19 17:35, Rowland penny via samba wrote:
> On 02/12/2019 17:17, Sebastian Arcus via samba wrote:
>>
>> On 02/12/19 16:53, Rowland penny via samba wrote:
>>> On 02/12/2019 16:24, Sebastian Arcus via samba wrote:
>>>>
>>
>> </snip>
>>
>>>
>>>>> You should have 'vfs objects = dfs_samba4 acl_xattr
recycle'
>>>>
>>>> Thank you very much for this - now it is working. This lack of 
>>>> permissions inheritance issue has been plaguing me for months -
it
>>>> is very useful to finally find what has been causing it. Would
it be
>>>> a good idea to add the information above somewhere in the wiki,
in
>>>> case others will face the same issue at some point?
>>>
>>> You are probably correct, but where to put it ???
>>
>> The following man page is the one I read several times when things 
>> started to get hairy and I narrowed things down to issues with vfs 
>> recycle - and where I was looking for some enlightening notes on the 
>> subject:
>>
>> https://www.samba.org/samba/docs/current/man-html/vfs_recycle.8.html
>>
>> Something along the lines of:
>>
>> "vfs objects = recycle
>>
>> Please note that the config line above will reset the vfs objects 
>> already configured, which can have unintended consequences, specially 
>> when Samba is configured in AD mode. To avoid this, the recycle module 
>> should be added to existing vfs objects (... with some suitable 
>> instructions on how to find out which existing vfs modules are 
>> configured by default, maybe)"
>>
>> Maybe something like the above?
>> </snip>
>>
> Possibly for 'recycle', but this would happen for any 'vfs
object' added
> to a DC that didn't list the defaults (it also applies to Unix domain 
> members, where listing 'vfs objects' in a share, overrides any set
in
> [global])
Hmm - in that case, maybe some sort of syntax to be able to add to the 
existing vfs objects without re-declaring them specifically, or knowing 
which they are. Such as:

vfs objects = $objects recycle

or

vfs objects += recycle

I can think of a few other pieces of software which use a similar 
configuration syntax to add extra arguments to a previously configured 
option. Ford example Dovecot uses the first style of syntax.

The slight extra complication is that Samba allows spaces in the names 
of variables, but then uses spaces as list separators as well, so it's 
not possible to have:

vfs objects = $vfs objects recycle


If the syntax is updated as per above, the man pages for all vfs modules 
would have to be updated as well, I suppose.