[Samba] Samba PDC, permissions on user profile folders too wide

[Peter Milesson]

Hi folks,

I have got a Samba PDC with roaming profiles: CentOS 7 x64, build 1511

The server is set up with roaming profiles according to the current 
Samba Wiki.

Roaming works, but the permissions in the profiles are too wide, giving 
access not only to the user in every profile, but also to the group 
(770). For example, if I log in under Windows, add a file (or folder) on 
my desktop, and log off, the file (folder) will be in my profile with 
permissions 770. The same from Windows XP and up to Windows 10.

This poses an immediate problem. Any user belonging to the same group as 
the Samba user, with ssh access to the server, can do anything they like 
with the files in any profile belonging to the same group.


I've previously through the years set up a bunch of Samba PDC servers 
with Samba 3. There, the problem never occurred, the effective file 
permissions always 600 (700 for directories) in the profiles.


My Profiles definition:

[Profiles]
          guest ok = yes
          browseable = no
          writeable = yes
          create mask = 0600
          directory mask = 0700
          path = /var/lib/samba/profiles
          store dos attributes = yes
          profile acls = yes
          csc policy = disable


I would be grateful for any information how to solve this.

Best regards,

Peter