Created attachment 7892 [details] Attached log file Every time I attempt to modify an ACE on a share via windows (Using S3fs), the deny permission will either be deleted (Only deny permissions if there are allows for the certain user/group), or if I set the user/group to Deny: Full control, the entire ACE is deleted. Here's a portion of my smb.conf (Containing the shares I've tested with). [global] server role = domain controller workgroup = MESTIZAJE realm = mestizaje.org netbios name = M-DC-01 disable netbios = false server string = Mestizaje Domain Controller dns forwarder = 8.8.8.8 dns recursive queries = yes allow dns updates = signed use spnego = true client use spnego principal = true local master = true preferred master = true paranoid server security = true server signing = true client signing = true tls enabled = true idmap trusted only = true encrypt passwords = true null passwords = false client plaintext auth = false lanman auth = false client lanman auth = false ntlm auth = false client ntlmv2 auth = true # Did break windows 7 server max protocol = SMB2 min protocol = NT1 server max protocol = NT1 server min protocol = NT1 # Did break windows 7 client max protocol = SMB2 client max protocol = NT1 client min protocol = NT1 interfaces = bond0 lo bind interfaces only = true hosts deny = 0.0.0.0/0 hosts allow = 192.168.1.0/24 idmap trusted only = true encrypt passwords = true time server = true csc policy = disable oplocks = true null passwords = false max wins ttl = 10 wins support = true winbind sealed pipes = true rpc big endian = false dns proxy = true strict locking = false # max xmit = 16384 ## 65535 < Performance than 32768 < Performance Than 49152 socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_SNDBUF=49152 SO_RCVBUF=49152 unix charset = UTF-8 dos charset = CP850 unicode = true read raw = false write raw = true host msdfs = false case insensitive filesystem = false unix extensions = true nt status support = true nt acl support = true acl check permissions = true acl compatibility = win2k ea support = true store dos attributes = true hide files = /*.db/*.ini/*RECYCLE*/.*/*.vbs/*.bat/*.dat/*.adm/*.adml/*.admx/*.msc/*.mmc/*.tmp/*.sys/$*/*.log/*.reg/ hide dot files = true log level = 10 debug level = 10 #max log size = 96 log file = /mestizaje.org/Samba/Logs/Samba4.Amorak.s4rw template shell = /bin/bash template homedir = /home/mestizaje.org/%USERNAME% ## Testing s3fs # Implemented into stable at 4.0.0Beta2 # server services = -smb +s3fs # dcerpc endpoint servers = -winreg -srvsvc ## Printing subsection load printers = true printing = cups printcap name = cups cups options = "raw media=a4" use client driver = false ## End of testing s3fs # force create mode = 0750 # force directory mode = 0750 ## Virtual Server Configuration # The parameter is incorrect # netbios aliases = Kushtaka # smb ports = 139 # include /usr/local/samba/etc/VirtualServers/smb.conf.Kushtaka ## End of virtual server configuration [netlogon] path = /mestizaje.org/Shares/SYSVOL/mestizaje.org/scripts comment = NETLOGON volume = NETLOGON read only = false browseable = false fstype = NTFS map hidden = false [sysvol] path = /mestizaje.org/Shares/SYSVOL comment = SYSVOL volume = SYSVOL read only = false browseable = false fstype = NTFS map hidden = false ## Printing Shares #[printers] # path = /mestizaje.org/Shares/Printers/spool # comment = Printer Spool Share # volume = PRINTERS # browseable = false # printable = true # read only = true # create mask = 0777 # guest ok = true # #[print$] # path = /mestizaje.org/Shares/Install/Drivers/Printers # volume = PRINTDRIVERS # comment = Printer Drivers # read only = false # create mask = 0755 # directory mask = 0755 # browseable = false # printable = false # fstype = NTFS # Admins Profiles [AdminsProfiles$] path = /mestizaje.org/Profiles/Admins/Profile volume = USERDATA comment = My Profile read only = false create mask = 0600 create mask = 0600 force create mode = 0600 directory mask = 0700 force directory mode = 0700 browseable = false printable = false fstype = NTFS csc policy = disable [AdminsDocs$] path = /mestizaje.org/Profiles/Documents/Admins volume = USERDOCS comment = My Documents read only = false create mask = 0600 force create mode = 0600 directory mask = 0700 force directory mode = 0700 browseable = false printable = false fstype = NTFS msdfs root = false # recycle: config-files = /usr/local/samba/etc/samba/samba-recycle.conf # vfs objects = recycle # recycle:keeptree = true # recycle:touch = true # recycle:touch_mtime = true # recycle:maxsize = 67108864 # recycle:versions = true # recycle:repository = /mestizaje.org/Profiles/MyDocs/Admins/%U/Trash # recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,*.dat,*.ini oplocks = true [AdminsAppData$] path = /mestizaje.org/Profiles/Admins/AppData volume = APPLICATIONDATA comment = APPLICATIONDATA read only = false create mask = 0600 force create mode = 0600 directory mask = 0700 force directory mode = 0700 recycle: config-files = /usr/local/samba/etc/samba/samba-recycle.conf browseable = false printable = false fstype = NTFS I have attached a log file with a debug and log level of 10 below.
Just a note - It's Samba4 Beta8 compiled with: ./configure --enable-uid-wrapper --enable-socket-wrapper --enable-nss-wrapper --enable-gnutls --enable-cups --download On Ubuntu 12.04
Can also be confirmed on RC1 compiled with the same options. I've also tested on EXT4 with user_xattrs and acl, and XFS, and the bug still appears. The domain was provisioned with the --use_xattrs=yes option. Could that possibly be related the problem?
Okay, so for anyone else who comes across this, I'd recommend looking through the mailing lists. It turns out that this can be fixed by adding: vfs objects = acl_xattr to each share that requires ACL's to be mapped.
Thanks a lot man. you cannot imagine how this small line save my days of stress (In reply to comment #3) > Okay, so for anyone else who comes across this, I'd recommend looking through > the mailing lists. > > It turns out that this can be fixed by adding: > > vfs objects = acl_xattr > > to each share that requires ACL's to be mapped.
It's cool, but I still think that the ACE issue needs to be addressed. The Samba team have completely ignored that this issue exists, which is a shame as they've produced a great piece of software. But on a heavily loaded server, this system wouldn't work as all of the ACE's are stored in a TDB file, so the server will end up spending half of it's time checking whether the user is actually allowed to access the requested resource. I used Samba to attempt to slowly budge away from Windows completely, not to get halfway through beta stage and have to consider moving my primary fileserver over to Server 2008 just because I couldn't set a Deny ACE. Please guys, get this sorted, because if you want businesses to be able to replace their existing environments with Samba4, whether it's as a DC or a File Server, if they find a bug as large as this they'll run a mile.
Except for the suggestion around ACL lookups being against a TDB (they are not, they are stored in an xattr in the filesystem) this should be fully addressed by the patch attached to bug #9406. We do apologise for the time it has taken to address this regression. Thanks,
Should be fixed in Samba 4.0.0rc6. Please feel free to re-open if it's still an issue. Thanks!
*** Bug 9275 has been marked as a duplicate of this bug. ***