[Samba] Permission masks

Rowland Penny rowlandpenny at googlemail.com
Thu Feb 26 03:01:12 MST 2015

On 26/02/15 09:42, John wrote:
> On 24/02/15 20:35, Rowland Penny wrote:
>> On 24/02/15 20:23, John wrote:
>>> I apologise for asking a basic question but I haven't been able to
>>> determine a sensible answer.
>>> I am using 4.1.17 as AD-DC. All configured and working with user home
>>> directories via [homes] and some other specific shares.
>>> Windows 7 client jointed to domain, users can log in and create files in
>>> their home directory.
>>> However the system permissions on those files are not what I expect and
>>> I am trying to understand why.
>>> My [homes] sets "create mask" and "directory mask" to 0700 but
>>> everything created has "0770".
>>> I have another share with a create mask of 0755. Files in there get
>>> 0775.
>>> I have checked with testparm that there is nothing configured to set to
>>> 0770 anywhere. it's like there is a "force create mode" but there isn't:
>>> $ testparm -v | grep -e 'force.*mode'
>>>       force create mode = 00
>>>       force directory mode = 00
>>> What am I missing? What could be overriding my permissions ?
>>> Thanks for any advice,
>>> John
>> For one thing you are missing the fact that [homes] doesn't work with
>> a samba4 DC, you should also be using ACLs instead of 'force mode' etc.
> Hmm, I didn't know that. Is that officially stated anywhere? It does
> appear to work for me except for the permissions issue. Could you
> elaborate on what doesn't work - there's probably something I haven't
> hit on yet.

It is on the wikipage: 

I have now updated it, to make it a bit more explicit.

>> Try browsing the wiki:  https://wiki.samba.org/index.php/Main_Page
> ;) Goes without saying - it was the first placed I turned to but it
> isn't always straightforward to find where the answers are.
>> For your home share see:
>> https://wiki.samba.org/index.php/Setting_up_a_home_share
>> For ACLs see:
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Change_permissions_on_folders_of_a_share
> I'll look at these in more detail. I'm already using ACLs though but
> I'll look at the alternative way to implement home directories.
> What the above doesn't explain is why I am seeing additional permissions
> being applied on the server filesystem. It isn't a homes issue because
> it happens on other shares too. I'd like to get to the bottom of that
> one... Something is applying an OR-mask of 0770 to whatever files'
> permissions should be. The question is what...?

Follow the wiki page above, don't set *anything* on the share in 
smb.conf, do it all with ACLs


>> Rowland

More information about the samba mailing list