15996 – NT ACL lost randomly on profiles share

Bug 15996 - NT ACL lost randomly on profiles share

Summary: NT ACL lost randomly on profiles share

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.22.6
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-02-10 14:17 UTC by Benoît Tonnerre
Modified:	2026-02-11 14:48 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
smb conf file (1.52 KB, text/plain) 2026-02-10 14:17 UTC, Benoît Tonnerre	no flags	Details
fstab file (1.49 KB, text/plain) 2026-02-10 14:19 UTC, Benoît Tonnerre	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benoît Tonnerre 2026-02-10 14:17:08 UTC

Created attachment 18840 [details]
smb conf file

Dear samba community, 

At IUT Orsay (component of Paris Saclay University), we used samba4 for years.(we used the version shipped with Debian Trixie : Version: 2:4.22.6+dfsg-0+deb13u1).

Since the migration from Debian 12 to Debian 13 (Debian system reinstall from scratch), we encountered an issue with the profiles share.
Sometimes, the ACL seems to be lost, and students can't log in (can't load their own profiles).

When the problem occurred, we can't access the "profiles" share (Permission denied).

If we use the command bellow : 

sudo samba-tool ntacl set "O:LAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;;0x100025;;;DU)" /usr/local/samba/profiles

The ACL are back and the share [profiles$] is working again.

For the time being, the problem occurred : 
- once in september
- twice in november
- twice in february

All clients are Windows 10 LTSC, or Windows 11 LTSC.

I can't find what can cause this ?
Have you some advices ?

If you need any informations don't hesitate.

Thanks a lot.

Best regards.

Comment 1 Benoît Tonnerre 2026-02-10 14:19:11 UTC

Created attachment 18841 [details]
fstab file

If it can help, you'll find our /etc/fstab.

Comment 2 Rowland Penny 2026-02-11 08:49:08 UTC

(In reply to Benoît Tonnerre from comment #0)

First, Samba does not recommend using a DC as a fileserver, second, this would probably have been better discussed on the mailing list before opening a bug report.

Because Samba accepts that people will use a Samba AD DC as a fileserver, there is this in the wiki:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_(Optional)

Where there is this:

You should be aware that if wish to use a vfs object on a DC share e.g. recycle, you must not just set vfs objects = recycle in the share. Doing this will turn off the default vfs objects dfs_samba4 and acl_xattr. You must set vfs objects = dfs_samba4 acl_xattr recycle.

Does that give you a hint where your problem probably lies ?

Comment 3 Benoît Tonnerre 2026-02-11 14:48:47 UTC

Dear Rowland,

Thank you very much for your answer.
I'm very sorry for this bug report. If you think It should be closed, you can do so.
As you suggested, I'll try the mailing list.

I didn't realize that using Samba AD DC as a file server was such a bad idea.

Our architecture is very simple at the moment, but we'll try to follow the Samba team's recommendations.

I'll update our profiles share options according to your recommendations.

Best regards.