[Samba] MacOSX 10.9.4 with Samba 4.1.11 and permissions weirdness

Dan Mons dmons at cuttingedge.com.au
Tue Nov 18 23:06:00 MST 2014 

Hi Bo, thanks for the email.

What are the permissions on the files to start with (i.e.: on your mac
client, before copying to the Samba share?).

Try making a local file, and chmod 400 that file, then copy it to the
Samba server and see what happens.  Also try chmod 400 a file on your
local system, and copying the parent folder (with the file in it) to
the Samba server.

In particular, the "parent folder" one bites us frequently.  MacOSX
does things like makes folders unwritable by the user if they've been
downloaded form the Internet.  A common use case for us is admin staff
downloading things from the Internet, copying them to our Samba
servers, and then having the rest of our production users locked out
of the files/folders as a result.   This is a daily occurrence for us
at the moment, and is eating an enormous amount of helpdesk time.

As mentioned, the problem could be worked round with Samba3.  We would
like to stick with Samba4 for the much faster SMB2/SMB3 protocol
support, but it's proving impossible with MacOSX clients.

-Dan



----------------
Dan Mons - R&D Sysadmin
Cutting Edge
http://cuttingedge.com.au


On 19 November 2014 10:25, Bo Kersey <bo at vircio.com> wrote:
> Dan,
> I've seen this behavior before, but I'm trying to duplicate it now and I can't....
> I have a share setup exactly as you do:
>
>>>>>         create mask = 0660
>>>>>         force create mode = 0660
>>>>>         directory mask = 0770
>>>>>         force directory mode = 0770
>>>>>         nt acl support = no
>
> And I'm copying files and directories to the share from OSX 10.10.1 and the file & directory permissions are as expected.  This is against sernet-samba 4.1.13.
> I'm seeing SMB2 connections in wireshark between the Mac and the Samba server.
>
> Am I missing something?
>
> Thanks!
> Bo
>
>
>
>
> ----- Original Message -----
>> From: "Dan Mons" <dmons at cuttingedge.com.au>
>> To: "samba" <samba at lists.samba.org>
>> Sent: Sunday, November 16, 2014 3:51:03 PM
>> Subject: Re: [Samba] MacOSX 10.9.4 with Samba 4.1.11 and permissions  weirdness
>
>> Bumping this one last time in the hope that someone else has a fix or
>> workaround.
>>
>> Permissions and umasks are still a problem with MacOSX clients.
>> create mask / force mask are ignored most of the time by MacOSX 10.8
>> through to 10.10 clients, and that causes much pain.
>>
>> This wasn't a problem in Samba3, as the various permission mask
>> options were always enforced regardless of client stupidity.
>>
>> -Dan
>>
>> ----------------
>> Dan Mons - R&D Sysadmin
>> Cutting Edge
>> http://cuttingedge.com.au
>>
>>
>> On 28 August 2014 09:23, Dan Mons <dmons at cuttingedge.com.au> wrote:
>>> Hi,
>>>
>>> Thanks for the reply.
>>>
>>> We've tried  "unix extensions = no", and it makes no changes to
>>> permissions of folders being written.
>>>
>>> What it does do, however, is break the Mac's ability to make real
>>> POSIX symlinks (instead we get those annoying Minshall+French symlinks
>>> that don't work on other Linux systems).  As such, we've had to keep
>>> "unix extensions = yes" as that's integral to how our Macs need to
>>> work with the rest of our Linux systems.
>>>
>>> -Dan
>>>
>>> ----------------
>>> Dan Mons
>>> Unbreaker of broken things
>>> Cutting Edge
>>> http://cuttingedge.com.au
>>>
>>>
>>> On 28 August 2014 08:46, Danilo Mussolini <danilo at mdotti.com> wrote:
>>>> Try "unix extensions = no". I guess this will help you.
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Aug 27, 2014 at 6:59 PM, Dan Mons <dmons at cuttingedge.com.au> wrote:
>>>>>
>>>>> Hi folks,
>>>>>
>>>>> I'm running CentOS 6.5 on our storage nodes, with Samba 4.1.11 RPMs from
>>>>> Sernet.
>>>>>
>>>>> We're having a strange issue with MacOSX clients (testing on 10.9.4)
>>>>> when writing directories.
>>>>>
>>>>> Relevant smb.conf share portions:
>>>>>
>>>>>         create mask = 0660
>>>>>         force create mode = 0660
>>>>>         directory mask = 0770
>>>>>         force directory mode = 0770
>>>>>         nt acl support = no
>>>>>
>>>>> With these in place, any Mac client that copies a directory across
>>>>> writes the permissions for a directory as (reported directly on the
>>>>> Linux storage):
>>>>>
>>>>> u=rw
>>>>> g=rwx
>>>>> o=
>>>>> i.e.: 0670
>>>>>
>>>>> The user loses the execute permission on directories, and can no
>>>>> longer traverse directories or list their contents.
>>>>>
>>>>> When I replace the smb.conf portion with the following:
>>>>>
>>>>>         create mask = 0770
>>>>>         force create mode = 0770
>>>>>         directory mask = 0770
>>>>>         force directory mode = 0770
>>>>>         nt acl support = no
>>>>>
>>>>> Directories correctly get 0770 permissions on the Linux file system,
>>>>> however so do regular files (I'm trying to avoid regular files getting
>>>>> marked as executable for this particular data store).
>>>>>
>>>>> We have multiple sites and multiple data stores (two whopping big
>>>>> Gluster stores, as well as some regular NAS units with standard local
>>>>> storage), and the problem exists the same way on all of them.
>>>>>
>>>>> We began testing on Samba 4.1.9 originally, and it showed the same
>>>>> behaviour.  I'm just wondering if anyone else has seen the same, or if
>>>>> it's just MacOSX madness (which I'm willing to accept as the answer,
>>>>> as MacOSX is anything but consistent with SMB).
>>>>>
>>>>> Previously on Samba 3.6.9 provided with CentOS 6, I would add the
>>>>> following share options to solve Mac-specific weirdness:
>>>>>
>>>>>         #security mask = 0660
>>>>>         #force security mode = 0660
>>>>>         #directory security mask = 0770
>>>>>         #force directory security mode = 0770
>>>>>
>>>>> These no longer work in Samba 4, and both the man pages and Samba wiki
>>>>> reflect this change.  When I apply my Google-fu to this problem, these
>>>>> options are what most people are suggesting, but again they're not
>>>>> available to me.
>>>>>
>>>>> Cheers for any insight offered.
>>>>>
>>>>> -Dan
>>>>>
>>>>> ----------------
>>>>> Dan Mons
>>>>> Unbreaker of broken things
>>>>> Cutting Edge
>>>>> http://cuttingedge.com.au
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> Bo Kersey
> VirCIO - managed network solutions
> 4314 Avenue C
> Austin, TX 78751
> phone: (512)374-0500

More information about the samba mailing list