[Samba] Permission masks

John samba at jelmail.com
Thu Feb 26 02:42:56 MST 2015 

On 24/02/15 20:35, Rowland Penny wrote:
> On 24/02/15 20:23, John wrote:
>> I apologise for asking a basic question but I haven't been able to
>> determine a sensible answer.
>>
>> I am using 4.1.17 as AD-DC. All configured and working with user home
>> directories via [homes] and some other specific shares.
>>
>> Windows 7 client jointed to domain, users can log in and create files in
>> their home directory.
>>
>> However the system permissions on those files are not what I expect and
>> I am trying to understand why.
>>
>> My [homes] sets "create mask" and "directory mask" to 0700 but
>> everything created has "0770".
>>
>> I have another share with a create mask of 0755. Files in there get
>> 0775.
>>
>> I have checked with testparm that there is nothing configured to set to
>> 0770 anywhere. it's like there is a "force create mode" but there isn't:
>>
>> $ testparm -v | grep -e 'force.*mode'
>>      force create mode = 00
>>      force directory mode = 00
>>
>> What am I missing? What could be overriding my permissions ?
>>
>> Thanks for any advice,
>> John
>>
>>
>
> For one thing you are missing the fact that [homes] doesn't work with
> a samba4 DC, you should also be using ACLs instead of 'force mode' etc.
Hmm, I didn't know that. Is that officially stated anywhere? It does
appear to work for me except for the permissions issue. Could you
elaborate on what doesn't work - there's probably something I haven't
hit on yet.
>
> Try browsing the wiki:  https://wiki.samba.org/index.php/Main_Page
;) Goes without saying - it was the first placed I turned to but it
isn't always straightforward to find where the answers are.
>
> For your home share see:
> https://wiki.samba.org/index.php/Setting_up_a_home_share
>
> For ACLs see:
>
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Change_permissions_on_folders_of_a_share
>
>
I'll look at these in more detail. I'm already using ACLs though but
I'll look at the alternative way to implement home directories.

What the above doesn't explain is why I am seeing additional permissions
being applied on the server filesystem. It isn't a homes issue because
it happens on other shares too. I'd like to get to the bottom of that
one... Something is applying an OR-mask of 0770 to whatever files'
permissions should be. The question is what...?

> Rowland
>

More information about the samba mailing list