Created attachment 17281 [details]
minimal smb.conf

Hi,

when we have activated the user.map cache, we observe that ACLs are repeatedly inherited incorrectly when folders and files are created. In addition, it can happen that users can no longer access directories even though they have permission to do so. This behavior does not always occur, but appears to be random. However, we were able to narrow down the error to such an extent that if we set "username map cache time = 0" in the "smb.conf" file, all the problems mentioned disappear and the samba server behaves normally.

In order to describe the problem as understandably as possible, we created a minimal configuration and documented all the steps we needed to reproduce the bug on a test system. We performed the following steps once as a domain member and once as a standalone server and were able to reproduce the bug both times. As a test user, we created a local user "smbtest01" with the primary Unix group "smbtest". For the test, we created the following directory structure with the associated ACLs.

drwxrws---+ 8 smbtest01 smbtest 4096 May  5 11:00 /mnt/data10/samba_test/test1
drwxrws---+ 8 root      root    4096 May  5 11:00 /mnt/data10/samba_test/test2
drwxrws---+ 8 root      users   4096 May  5 11:00 /mnt/data10/samba_test/test3

# file: mnt/data10/samba_test/test1
# owner: smbtest01
# group: smbtest
# flags: -s-
user::rwx
user:smbtest01:rwx
group::rwx
group:smbtest:rwx
mask::rwx
other::---
default:user::rwx
default:user:smbtest01:rwx
default:group::rwx
default:group:smbtest:rwx
default:mask::rwx
default:other::---

# file: mnt/data10/samba_test/test2
# owner: root
# group: root
# flags: -s-
user::rwx
user:smbtest01:rwx
group::rwx
group:smbtest:rwx
mask::rwx
other::---
default:user::rwx
default:user:smbtest01:rwx
default:group::rwx
default:group:smbtest:rwx
default:mask::rwx
default:other::---

# file: mnt/data10/samba_test/test3
# owner: root
# group: users
# flags: -s-
user::rwx
user:smbtest01:rwx
group::rwx
group:smbtest:rwx
mask::rwx
other::---
default:user::rwx
default:user:smbtest01:rwx
default:group::rwx
default:group:smbtest:rwx
default:mask::rwx
default:other::---

In order to reproduce the bug, we have now created directories and text files in the three folders with the user "smbtest01" from a Windows 10 client. The result looked like this:

/mnt/data10/samba_test/test1:
total 0
drwxrws---+ 2 smbtest01 smbtest 6 May  5 10:59 test1111

/mnt/data10/samba_test/test2:
total 0
drwxrws---+ 2 smbtest01 root    6 May  5 10:58 test2222
drwxrwx---+ 2 smbtest01 smbtest 6 May  5 11:00 testt2222

/mnt/data10/samba_test/test3:
total 0
drwxrwx---+ 2 smbtest01 smbtest 6 May  5 10:43 testr333
drwxrws---+ 2 smbtest01 users   6 May  5 10:58 testr3333

For the "test1" folder, all our attempts were correct, but the group is also the user's primary group. For the other two folders ("test2", "test3") we were able to reproduce incorrect inheritances as well as correct ones. The correct inheritance can be recognized by the set sticky bit. As already mentioned, this behavior disappeared as soon as we disabled user.map caching in the "smb.conf" file.

To explain our "user.map" file. We map the machine account to a local system user to allow clients to access files without a user being logged in, or to allow scripts to be run in the system context.

user.map:
--------------
computeraccount = CONTOSO\pc0001$
computeraccount = CONTOSO\pc0002$
computeraccount = CONTOSO\pc0003$
[...]

Out test setup:
---------------
* RedHat Enterprise Linux 8
* installed packages
 * samba-4.14.5-10.el8_5.x86_64
 * samba-winbind-4.14.5-10.el8_5.x86_64 [1]

[1] Winbind was disabled during our tests. All caches or tdb-files were purged before.

If we should carry out further tests, we are happy to do so, as we have an extra test system for this.

Best Regards
Tobias