[Samba] permissions of new files and directories

Rowland Penny rpenny at samba.org
Thu Sep 22 11:03:59 UTC 2016 

On Thu, 22 Sep 2016 11:53:36 +0200
Philipp Snizek via samba <samba at lists.samba.org> wrote:

> 
> 
> Hello
> 
> I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both Windows
> DCs are Win 2012 R2 in 2008 R2 mode.
> 
> This is the smb.conf:
> 
> [global]
>     workgroup = MYDOM
>     server string = Fileserver
>     netbios name = myhostname
>     winbind separator = +
>     security = ADS
>     admin users = %D+administrator, %D+backupmaster
>     realm = MYDOM.WHEREVER
>     kerberos method = secrets and keytab
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind nss info = template
>     winbind use default domain = no
>     winbind refresh tickets = true
>     winbind nested groups = yes
>     idmap config *:backend = rid
>     idmap config *:range = 100000-100000000
>     idmap config *:base_rid = 0
>     template shell = /usr/bin/nologin
>     template homedir = /home/%D/users/%U
>     obey pam restrictions = yes
>     allow trusted domains = no
>     client use spnego = yes
>     client signing = auto
>     preferred master = no
>     load printers = no
>     unix charset = UTF8
>     log file = /var/log/samba/log.%m
>     log level = 3
>     max log size = 50000
>     server max protocol = SMB3
>     map untrusted to domain = yes
>     log writeable files on exit = yes
> 
> This is one of the many team share configs. They are all like this.
> 
> [Team_XXX]
>     comment = Team XXX
>     path = "/home/teams1/team_xxx"
>     browseable = yes
>     write list = "@%D+team xxx"
>     admin users = @%D+domänen-admins
>     valid users = @%D+domänen-admins, "@%D+team xxx"
>     public = no
>     force group = "%D+team xxx"
>     directory mask = 0770
>     create mask = 0660
> 
> When I as member of %D+team xxx create a new directory in this share,
> the permissions of the new directory become 750 instead of 770. New
> created files do get 660.
> I have tried force directory mode = 0770 to no effect. I've also tried
> inherit permissions = yes. New created files then get 660 and
> directories get 750 instead of 770.
> 
> Thanks for helping out.
> 
> Best regards,
> Philipp
> 

Can I suggest you change your smb.conf to this:

[global]
    netbios name = myhostname
    security = ADS
    workgroup = MYDOM
    realm = MYDOM.WHEREVER
    server string = Fileserver

    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 50000

    winbind separator = +
    kerberos method = secrets and keytab
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = true

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    idmap config MYDOM:backend = rid
    idmap config MYDOM:range = 100000-100000000

    template shell = /usr/bin/nologin
    template homedir = /home/%D/users/%U
    obey pam restrictions = yes
    allow trusted domains = no
    preferred master = no
    load printers = no
    map untrusted to domain = yes
    log writeable files on exit = yes

[Team_XXX]
    comment = Team XXX
    path = /home/teams1/team_xxx
    browseable = yes
    read only = no


Then read and follow this:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Rowland

More information about the samba mailing list