[Samba] permissions of new files and directories
Rowland Penny
rpenny at samba.org
Thu Sep 22 11:03:59 UTC 2016
On Thu, 22 Sep 2016 11:53:36 +0200
Philipp Snizek via samba <samba at lists.samba.org> wrote:
>
>
> Hello
>
> I'm running Samba 4.3.9 on Ubuntu 14 as domain member. Both Windows
> DCs are Win 2012 R2 in 2008 R2 mode.
>
> This is the smb.conf:
>
> [global]
> workgroup = MYDOM
> server string = Fileserver
> netbios name = myhostname
> winbind separator = +
> security = ADS
> admin users = %D+administrator, %D+backupmaster
> realm = MYDOM.WHEREVER
> kerberos method = secrets and keytab
> winbind enum users = yes
> winbind enum groups = yes
> winbind nss info = template
> winbind use default domain = no
> winbind refresh tickets = true
> winbind nested groups = yes
> idmap config *:backend = rid
> idmap config *:range = 100000-100000000
> idmap config *:base_rid = 0
> template shell = /usr/bin/nologin
> template homedir = /home/%D/users/%U
> obey pam restrictions = yes
> allow trusted domains = no
> client use spnego = yes
> client signing = auto
> preferred master = no
> load printers = no
> unix charset = UTF8
> log file = /var/log/samba/log.%m
> log level = 3
> max log size = 50000
> server max protocol = SMB3
> map untrusted to domain = yes
> log writeable files on exit = yes
>
> This is one of the many team share configs. They are all like this.
>
> [Team_XXX]
> comment = Team XXX
> path = "/home/teams1/team_xxx"
> browseable = yes
> write list = "@%D+team xxx"
> admin users = @%D+domänen-admins
> valid users = @%D+domänen-admins, "@%D+team xxx"
> public = no
> force group = "%D+team xxx"
> directory mask = 0770
> create mask = 0660
>
> When I as member of %D+team xxx create a new directory in this share,
> the permissions of the new directory become 750 instead of 770. New
> created files do get 660.
> I have tried force directory mode = 0770 to no effect. I've also tried
> inherit permissions = yes. New created files then get 660 and
> directories get 750 instead of 770.
>
> Thanks for helping out.
>
> Best regards,
> Philipp
>
Can I suggest you change your smb.conf to this:
[global]
netbios name = myhostname
security = ADS
workgroup = MYDOM
realm = MYDOM.WHEREVER
server string = Fileserver
log file = /var/log/samba/log.%m
log level = 3
max log size = 50000
winbind separator = +
kerberos method = secrets and keytab
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = true
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config MYDOM:backend = rid
idmap config MYDOM:range = 100000-100000000
template shell = /usr/bin/nologin
template homedir = /home/%D/users/%U
obey pam restrictions = yes
allow trusted domains = no
preferred master = no
load printers = no
map untrusted to domain = yes
log writeable files on exit = yes
[Team_XXX]
comment = Team XXX
path = /home/teams1/team_xxx
browseable = yes
read only = no
Then read and follow this:
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
Rowland
More information about the samba
mailing list