[Samba] vfs_streams_xattr and create mask = 0640 don't play well together

Thomas Werschlein thomas.werschlein at geo.uzh.ch
Fri Aug 7 15:58:45 UTC 2015

Hi everyone,

We are working on the deployment of samba 4.2.3 on Solaris 11.1 with ZFS backed storage. We plan to use the new vfs_fruit in order to better support our OSX clients out there. Everything seems to be working fine so far, but one operation:

If the user on an OSX client sets (or modifies) a tag (the colour flags or a custom tag) on a directory *AND* the share is configured with "create mask = 0640", the directory loses the execute bit for the owner of the directory and renders the directory inaccessible.

We were able to isolate the problem down to the VFS module "streams_xattr" (which is needed when using fruit) and the (non-default) setting of "create mask = 0640". With the default create mask of 0740 you won't encounter the problem. The problem is not related to Solaris, ZFS or OSX, though. We could reproduce it on Ubuntu 14.04 LTS and with a Windows 10 SMB client.

Our test smb.conf for a self-compiled samba 4.2.3 on Ubuntu 14.04 looks like this:

# Global parameters
	workgroup = MYGROUP
	server string = Samba Server
	server role = standalone server
	log file = /usr/local/samba/var/log.%m
	dns proxy = No
	idmap config * : backend = tdb

	path = /data/xattr
	read only = No
	create mask = 0640
	ea support = Yes
	vfs objects = streams_xattr

The root directory on the linux host is mounted with xattr support:
root at ubuntu:~# mount | grep xattr
/dev/sda1 on / type ext4 (rw,errors=remount-ro,user_xattr)

From an OSX 10.10.4 SMB client the problem manifests as follows:

1. mounting the share from the Finder with address 'smb://'
2. create a new directory (from the Finder or from cmd line), the permissions are correct (x flag set for owner)

root at ubuntu:/data/xattr# ls -ld untitled\ folder/
drwxr-xr-x 2 parallels parallels 4096 Aug  7 17:34 untitled folder/

3. add the tag "red" to the newly created folder. Now the x flag is missing for the owner:

root at ubuntu:/data/xattr# ls -ld untitled\ folder/
drw-r-xr-x 2 parallels parallels 4096 Aug  7 17:39 untitled folder/

4. there is no problem with the xattr though as seen from the Mac ...

me at mymac:/Volumes/xattr ls -ld@ untitled\ folder/
drwx------@ 1 thomi  staff  16384 Aug  7 17:34 untitled folder//
	com.apple.FinderInfo	   32
	com.apple.metadata:_kMDItemUserTags	   50

... or directly on the samba server:

root at ubuntu:/data/xattr# xattr -pl 'user.DosStream.com.apple.metadata_kMDItemUserTags:$DATA' untitled\ folder/
0000   62 70 6C 69 73 74 30 30 A1 01 55 52 65 64 0A 36    bplist00..URed.6
0010   08 0A 00 00 00 00 00 00 01 01 00 00 00 00 00 00    ................
0020   00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 10 00                                           ...

It appears that streams_xattr is considering the "create mask" when modifiying Alternate Data Streams on directories, while "create mask" is only intended for files (and we don't expect permission changes when modifiying metadata anyway, do we?).

Is this a bug or a misconfiguration on our side? I am happy to file a bug report, if it turns out to be one. Any thoughts?

Thanks in advance, Thomas

Thomas Werschlein, IT Services 
Department of Geography, University of Zurich
Office: Y25-L12, Tel: +41 (0)44 63-56536
PGP-Key-ID: C76C851B

More information about the samba mailing list