Web lists-archives.com

[Samba] SMB 4.6 Member Server Improper ACLs being set




Hello,

I recently upgraded from centos release 7.3 to 7.4 and samba 4.6.2 and
noticed that when files/folders are added or manipulated from a windows PC
via the share, extra ACLs get applied and i cannot figure out why. Nothing
has changed configuration wise and i have tried all variations i can think
of of different map settings, downgraded several releases of samba (4.4.4
failed to load due to some dependency issues).

I spun up a templated centos VM to test and found the same issue as my
physical server.

im sharing /vault and heres the permission set of the folder:
[root@template vault]# getfacl .
# file: .
# owner: root
# group: root
user::rwx
group::rwx
group:user_perm_storage_admin:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:user_perm_storage_admin:rwx
default:mask::rwx
default:other::---

if i map a share from a windows or linux machine back to this via samba and
create a folder/file, it looks like this:

[root@template vault]# getfacl test/
# file: test/
# owner: ryan.goode
# group: domain\040users
user::rwx
user:10513:rwx
user:14608:rwx
group::rwx
group:domain\040users:rwx
group:ryan.goode:rwx
group:user_perm_storage_admin:rwx
mask::rwx
other::---
default:user::rwx
default:user:ryan.goode:rwx
default:user:14608:rwx
default:group::rwx
default:group:domain\040users:rwx
default:group:user_perm_storage_admin:rwx
default:mask::rwx
default:other::---

The ACLs im refering to as being erroneous are:
user:10513:rwx
user:14608:rwx
default:user:14608:rwx

These correspond to groups in AD as seen here:

[root@template vault]# getent group | grep 14608
user_perm_storage_admin:x:14608:
[root@template vault]# getent group | grep 10513
domain users:x:10513:

This wasnt happening when i originally setup these ACLs on my storage
server and im trying to prevent this from happening further before it hoses
my permission set.

Im at a loss for what to do next and google has yielded no useful
information that i can find.

Any thoughts?
- - - -
smb.conf:
#--authconfig--start-line--

# Generated by authconfig on 2017/04/14 06:41:51
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = AD
   realm = AD.ALLGOODE.US
   security = ads
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = true

#--authconfig--end-line--
server string = Samba Server Version %v

idmap config * : backend = tdb
idmap config * : range = 5000 - 9999
idmap config AD : backend = rid
idmap config AD : range = 10000-20000

#winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind cache time = 7200
winbind nested groups = yes

ea support = yes
passdb backend = tdbsam

#log file = /var/log/samba/log.%m
max log size = 50
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

#client ldap sasl wrapping = plain

local master = no
preferred master = no
netbios name = TEMPLATE
dos charset = CP437
unix charset = UTF-8
log level = 9
obey pam restrictions = yes

#directory name cache size = 0

#============================ Share Definitions
==============================

[vault]
comment = vault for personal files
path = /vault
read only = no
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba