Bug 10207 - ACLs on member server act different than on a DC
Summary: ACLs on member server act different than on a DC
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.10
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-10-15 17:54 UTC by Marc Muehlfeld
Modified: 2014-05-15 08:34 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2013-10-15 17:54:29 UTC
When I setup a basic file share on a DC and on a member server:

    path = /srv/samba/Demo
    read only = no

The folder is on XFS, owned by root:root and has permissions 755 on Linux side.

Behavior on the member server:
Connect to the share as domain admin, right-click and go to the "security" tab. Here I see "everyone" and two "root" entries. I click the "edit" button and remove the two "root" entries. When I click "apply", everything is reset (the two entries went back"). If i grant "modify" to "everyone" - where all "allow" entries are empty per default and click "apply", then all boxes are checked automatically (full access) and "CREATOR OWNER" and "CREATOR GROUP" appear. And this two can't be removed as well any more.

Behaviour on a DC:
If I do exactly the same on a DC, then the security tab already shows on
opening very different settings. The wiki screenshot shows them: http://wikiupload.samba.org/images/8/8f/Demo_Share_Security.png). Also whatever I change (like removing the two "root" entries from the ACLs), everything is done like expected and saved.

On the mailing list, Keith McCormick gave me the hint, that I should add
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = Yes
to my member servers smb.conf. With this VFS object and settings, the filesystem ACLs on the member server act the same as on a DC.

This is reproducable with 4.1.x and 4.0.x.

I already discussed that on the samba mailing list (http://samba.2283325.n4.nabble.com/File-share-permissions-act-different-on-member-server-than-on-DC-td4654993.html).

Is it expected, that the fileserver on a member server acts different and the VFS module is required to get ACLs working?
Comment 1 Marc Muehlfeld 2014-05-15 08:34:45 UTC
I'll close this bug report, as it seems to be an expected behaviour at the moment. I already have described this in the Member Server Wiki HowTo, too.