Web lists-archives.com

Re: [Samba] Samba 4.9.4 drops group write permission on files (at file access time) with 'vfs objects' enabled




> Would this be on a DC ?
> If so, you are removing the default vfs objects. and this is a known
> ‘problem'

Not on a DC - this is on AD member fileserver(s)

It’s not a ‘problem’. It’s a _problem_. If you can’t add 'vfs objects’ without the default built-in module getting lost then how is that supposed to work at all? 

I’ve tried looking at the source code to see if there is some kind of default module one could load manually but it seems to be built-in. We need the zfsacl (for files/dirs with ZFS ACLs), shadow_copy2 (for snapshots/previous versions) & full_audit modules, but also the default built-in stuff to work (for cases where users have files/dirs without ACLs set)...

Ah well, back to reading the source code again.

- Peter



> On 27 Feb 2019, at 17:17, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> On Wed, 27 Feb 2019 16:53:48 +0100
> Peter Eriksson via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
>> We just noticed an interesting bug/misfeature on our Samba 4.9.4
>> servers (FreeBSD 11.2). The same effect is also visible on Samba
>> 4.8.3 on CentOS 7.
>> 
>> Start with a directory that looks like this:
>> 
>> root@filur00:/tmp/test # ls -la
>> total 50
>> drwxrwx---   2 peter86  uf-iti-all   3 Feb 27 11:27 .
>> drwxrwxrwt  10 root     wheel       56 Feb 27 16:41 ..
>> -rw-rw----   1 mikha02  uf-iti-all   6 Feb 27 11:27 hello.txt
>> 
>> Ie, no ACLs, just “pure” Unix permission bits. Share it as usual via
>> smb.conf.
>> 
>> 
>> With a smb.conf file with any “vfs objects” enabled (doesn’t matter
>> which, or even with an empty list):
>> 
>>    vfs objects = ;; empty list
>>    vfs objects = shadow_copy2 zfsacl full_audit
>> 
>> Then if you (from a Windows machine) look at the file's Properties ->
>> Security you will find that the Write access for the Group entry has
>> been removed from the ACL list displayed (and Samba will give Windows
>> users access errors when they try to write to that file).
>> 
>> 
>> With a smb.conf file without a “vfs objects” line you will correctly
>> get the right Write Access for the Group in the ACL.
>> 
>> 
>> It feels like having any “vfs objects” config line removes some kind
>> of default VFS module that does something that it should call instead
>> of calling it last….
>> 
>> - Peter
>> 
>> 
> 
> Would this be on a DC ?
> If so, you are removing the default vfs objects. and this is a known
> 'problem'
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba