On Mon, July 13, 2020 10:23, Andrea Venturoli wrote:> On 2020-07-13 15:06, James B. Byrne wrote: > >>> Just out of curiosity, are you also using vfs_zfsacl? >> >> Yes. > > But only on DC1, AFAICT! > I see no mention of it on DC2's smb.conf. > That could be the reason why you have two different behaviour. > > bye > av. >That appears to make no difference: [root at smb4-1 ~ (master)]# grep acl /usr/local/etc/smb4.conf vfs objects = dfs_samba4 zfsacl [root at smb4-1 ~ (master)]# service samba_server onestart Performing sanity check on Samba configuration: OK Starting samba. [root at smb4-1 ~ (master)]# getfacl /var/db/samba4/sysvol # file: /var/db/samba4/sysvol # owner: root # group: 3000000 group:3000000:rwxpDdaARWcCo-:fd-----:allow group:3000001:r-x---a-R-c---:fd-----:allow group:3000002:rwxpDdaARWcCo-:fd-----:allow group:3000003:r-x---a-R-c---:fd-----:allow [root at smb4-2 ~ (master)]# grep acl /usr/local/etc/smb4.conf vfs objects = dfs_samba4 zfsacl [root at smb4-2 ~ (master)]# service samba_server onestart Performing sanity check on Samba configuration: OK Starting samba. [root at smb4-2 ~ (master)]# getfacl /var/db/samba4/sysvol # file: /var/db/samba4/sysvol # owner: root # group: 3000000 owner@:rwxp----------:-------:deny owner@:------aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Mon, Jul 13, 2020 at 11:11 AM James B. Byrne via samba < samba at lists.samba.org> wrote:> > > On Mon, July 13, 2020 10:23, Andrea Venturoli wrote: > > On 2020-07-13 15:06, James B. Byrne wrote: > > > >>> Just out of curiosity, are you also using vfs_zfsacl? > >> > >> Yes. > > > > But only on DC1, AFAICT! > > I see no mention of it on DC2's smb.conf. > > That could be the reason why you have two different behaviour. > > > > bye > > av. > > > > That appears to make no difference: > > [root at smb4-1 ~ (master)]# grep acl /usr/local/etc/smb4.conf > vfs objects = dfs_samba4 zfsacl > > [root at smb4-1 ~ (master)]# service samba_server onestart > Performing sanity check on Samba configuration: OK > Starting samba. > > [root at smb4-1 ~ (master)]# getfacl /var/db/samba4/sysvol > # file: /var/db/samba4/sysvol > # owner: root > # group: 3000000 > group:3000000:rwxpDdaARWcCo-:fd-----:allow > group:3000001:r-x---a-R-c---:fd-----:allow > group:3000002:rwxpDdaARWcCo-:fd-----:allow > group:3000003:r-x---a-R-c---:fd-----:allow > > > > [root at smb4-2 ~ (master)]# grep acl /usr/local/etc/smb4.conf > vfs objects = dfs_samba4 zfsacl > > [root at smb4-2 ~ (master)]# service samba_server onestart > Performing sanity check on Samba configuration: OK > Starting samba. > > [root at smb4-2 ~ (master)]# getfacl /var/db/samba4/sysvol > # file: /var/db/samba4/sysvol > # owner: root > # group: 3000000 > owner@:rwxp----------:-------:deny > owner@:------aARWcCos:-------:allow > group@:rwxp--a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow >I'd say the sysvol ACL on smb4-2 is quite thoroughly broken. Now that the VFS module is set you'll probably need to fix it. If sysvol is on a separate dataset, perhaps snapshot before making changes.
On 2020-07-13 17:10, James B. Byrne wrote:> [root at smb4-2 ~ (master)]# grep acl /usr/local/etc/smb4.conf > vfs objects = dfs_samba4 zfsacl > > [root at smb4-2 ~ (master)]# service samba_server onestart > Performing sanity check on Samba configuration: OK > Starting samba. > > [root at smb4-2 ~ (master)]# getfacl /var/db/samba4/sysvol > # file: /var/db/samba4/sysvol > # owner: root > # group: 3000000 > owner@:rwxp----------:-------:deny > owner@:------aARWcCos:-------:allow > group@:rwxp--a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allowIt won't make any difference, if you enable it now, on the ACLs already on disk. You should try enabling it first and then running "samba-tool ntacl sysvolreset" again. HTH. I have no other ideas. bye av.
On Mon, July 13, 2020 12:07, Andrea Venturoli wrote:> On 2020-07-13 17:10, James B. Byrne wrote: > >> [root at smb4-2 ~ (master)]# grep acl /usr/local/etc/smb4.conf >> vfs objects = dfs_samba4 zfsacl >> >> [root at smb4-2 ~ (master)]# service samba_server onestart >> Performing sanity check on Samba configuration: OK >> Starting samba. >> >> [root at smb4-2 ~ (master)]# getfacl /var/db/samba4/sysvol >> # file: /var/db/samba4/sysvol >> # owner: root >> # group: 3000000 >> owner@:rwxp----------:-------:deny >> owner@:------aARWcCos:-------:allow >> group@:rwxp--a-R-c--s:-------:allow >> everyone@:------a-R-c--s:-------:allow > > It won't make any difference, if you enable it now, on the ACLs already > on disk. > > You should try enabling it first and then running "samba-tool ntacl > sysvolreset" again. > > HTH. > I have no other ideas. > > bye > av. >That worked perfectly. Thank you very, very much. [root at smb4-2 ~ (master)]# samba-tool ntacl sysvolreset [root at smb4-2 ~ (master)]# getfacl /var/db/samba4/sysvol # file: /var/db/samba4/sysvol # owner: root # group: 3000000 group:3000000:rwxpDdaARWcCo-:fd-----:allow group:3000001:r-x---a-R-c---:fd-----:allow group:3000002:rwxpDdaARWcCo-:fd-----:allow group:3000003:r-x---a-R-c---:fd-----:allow [root at smb4-1 ~ (master)]# getfacl /var/db/samba4/sysvol # file: /var/db/samba4/sysvol # owner: root # group: 3000000 group:3000000:rwxpDdaARWcCo-:fd-----:allow group:3000001:r-x---a-R-c---:fd-----:allow group:3000002:rwxpDdaARWcCo-:fd-----:allow group:3000003:r-x---a-R-c---:fd-----:allow -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3