[Samba] Permission masks

John samba at jelmail.com
Thu Feb 26 02:42:56 MST 2015

On 24/02/15 20:35, Rowland Penny wrote:
> On 24/02/15 20:23, John wrote:
>> I apologise for asking a basic question but I haven't been able to
>> determine a sensible answer.
>> I am using 4.1.17 as AD-DC. All configured and working with user home
>> directories via [homes] and some other specific shares.
>> Windows 7 client jointed to domain, users can log in and create files in
>> their home directory.
>> However the system permissions on those files are not what I expect and
>> I am trying to understand why.
>> My [homes] sets "create mask" and "directory mask" to 0700 but
>> everything created has "0770".
>> I have another share with a create mask of 0755. Files in there get
>> 0775.
>> I have checked with testparm that there is nothing configured to set to
>> 0770 anywhere. it's like there is a "force create mode" but there isn't:
>> $ testparm -v | grep -e 'force.*mode'
>>      force create mode = 00
>>      force directory mode = 00
>> What am I missing? What could be overriding my permissions ?
>> Thanks for any advice,
>> John
> For one thing you are missing the fact that [homes] doesn't work with
> a samba4 DC, you should also be using ACLs instead of 'force mode' etc.
Hmm, I didn't know that. Is that officially stated anywhere? It does
appear to work for me except for the permissions issue. Could you
elaborate on what doesn't work - there's probably something I haven't
hit on yet.
> Try browsing the wiki:  https://wiki.samba.org/index.php/Main_Page
;) Goes without saying - it was the first placed I turned to but it
isn't always straightforward to find where the answers are.
> For your home share see:
> https://wiki.samba.org/index.php/Setting_up_a_home_share
> For ACLs see:
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Change_permissions_on_folders_of_a_share
I'll look at these in more detail. I'm already using ACLs though but
I'll look at the alternative way to implement home directories.

What the above doesn't explain is why I am seeing additional permissions
being applied on the server filesystem. It isn't a homes issue because
it happens on other shares too. I'd like to get to the bottom of that
one... Something is applying an OR-mask of 0770 to whatever files'
permissions should be. The question is what...?

> Rowland

More information about the samba mailing list