[Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings

Kevin Field kev at brantaero.com
Wed Sep 25 18:03:59 MDT 2013 


On 2013-09-25 2:47 PM, Johan Hendriks wrote:
> Kevin Field wrote:
>> Hi,
>>
>> I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these
>> global settings (not overridden):
>>
>>         read only = No
>>         force create mode = 0777
>>         force directory mode = 0777
>>         inherit acls = yes
>>         inherit owner = yes
>>         inherit permissions = yes
>>
>> On a Windows client, I have Thunderbird 24.0 storing its profile and
>> mail on the Samba share.  The perms on everything in the share were
>> chmod -R 777'd.
>>
>> Then I get mail, compact a folder, whatever, and it looks like this:
>>
...
>> -rwxrwxrwx. 1 1128 513     2684 Sep 25 13:20 Templates.msf
>> -rwxrwx---+ 1 1128 513        0 Sep 25 13:50 Trash
>> -rwxrwx---+ 1 1128 513     2223 Sep 25 13:50 Trash.msf
>>
>> Whatever it touches is now 770.  How can that be, when the parent of
>> this folder is 777, Samba is set to inherit and force 0777?  Is this
>> Samba misbehaving, or Thunderbird?
>>
>> Thanks,
>> Kev
> It looks like the you have acl's active, hence the + after the
> permissions rwxrwx---+ .
> These acls overrule the local permissions set by samba.
>
> Not samba not thundebird is misbehaving.
>
> regards
> Johan Hendriks

I only partially understand.  I get that + means some extended ACLs.  I 
don't get why Samba/Thunderbird makes the file 770 instead of 777.  What 
I really don't get, though, is--since you mentioned ACLs I went and 
checked some example files in Windows--that despite the 777 files having 
"Everyone" with no settings, the 770 files have "Everyone" with "Full 
Control", not inherited!  I certainly didn't intend that for a user's 
mail profile :)  (Really though, I didn't set things up that way from 
the Windows side--this is someone's home drive, in which they have full 
control, and I didn't touch the defaults, but I certainly didn't put 
Everyone in there, and certainly not with Full Control.)

Where did this come from?

possibility a) smb.conf, in which case I don't understand the settings I 
posted here
possibility b) ACLs set by me, which I can't see being the case because 
our setup is so simple*
possibility c) ?

* Now just in case, and barring any Group Policy suggestions, what's the 
easiest way to, either from Windows or Linux, set it up so that admins 
have Full Control over every file, and home drives additionally have 
Full Control of the user having the same name as the home dir, and the 
'shared' drive has Everyone having Full Control?  So far, because our 
network is so small, I had done this manually in the past, but it's a 
bit of a PITA to do again at this point, since each user's home dir 
takes a few minutes to propagate ACL changes through if I use Windows 
GUI tools and meanwhile semi-hangs the UI.  I don't really care how the 
perms look on the Linux end of things, since users only have access via 
Windows clients.

 From what you said about ACLs overruling, to me it would seem that our 
setup is simple enough that we shouldn't need "+"/Windows ACLs at all, 
because the normal unix ACLs are more than enough for our purposes, 
except that currently, Windows users don't get properly mapped, mainly 
because their Linux equivalents don't necessarily exist (e.g. for most 
users they don't have a CentOS login, but I do and the "users" group and 
such could map from "Domain Users", I guess.)  Or even if Linux perms 
were the same everywhere, and smb.conf enforced the rules so they came 
out right on the Windows side.  If someone could lay this out for me, 
I'd really find it helpful--I've been trying to make sense of the docs 
and tutorials and mailing lists and Q&A sites, and for what I would 
think is a fairly common setup, I can't seem to get something working 
without glitches for us.

It's just that, somehow, since we recently switched home drives from 
W2K3 to Samba serving them up, this has suddenly started happening, and 
is somehow causing strange side effects like Thunderbird much more often 
deciding to rebuild summary files of mailboxes, and mail not coming in 
right away (perhaps due to an un-indicated summary rebuild conflicting 
with a too-often mail check), and, well, these strange permissions that 
we never had before appearing on most files that Thunderbird modifies.

More help/hints/examples would be much appreciated :)

Thanks Johan,
Kev

More information about the samba mailing list