Fix for Samba server masking world writeable perm off

Jeremy Allison jra at
Tue Feb 26 16:02:10 UTC 2019

On Tue, Feb 26, 2019 at 12:20:20AM -0600, Steve French wrote:
> Very strange - I noticed that using jra's experimental POSIX code, the
> Samba server would always mask off the world writeable flag ie 0777
> would become 0775 permissions.   No matter what the masks were in
> smb.conf.
> Turned out to be simple but strange:
> Removing the
>        "obey pam restrictions"
> line from smb.conf (which seems to be set by default in some distros)
> fixed the problem.   Now a SMB3.1.1 POSIX mkdir ends up with 0777 mode
> after a mkdir -m 0777 ...
> I am quite surprised that this parm does anything related to the mode
> bits, and would not have thought of it, but noticed it when googling
> for these particular permissions .... (it hit on this post from a year
> ago where a user hit the same problem with permissions being masked
> this way and Samba server:
> .
> Any idea why "obey pam restrictions" would cause Samba to mask mode bits?

That is utterly insane.

~/src/samba/git/smb2-posix$ git grep lp_obey_pam
source3/auth/pampass.c: if (!lp_obey_pam_restrictions())
source3/auth/pampass.c: if (!lp_obey_pam_restrictions())
source3/auth/pampass.c: if (!lp_obey_pam_restrictions())

Is it possible some of the pam calls are setting a
umask internally ?

More information about the samba-technical mailing list