[Samba] Antwort: Re: permissions of new files and directories

Rowland Penny rpenny at samba.org
Thu Sep 22 13:01:16 UTC 2016 

On Thu, 22 Sep 2016 14:36:34 +0200
Philipp Snizek via samba <samba at lists.samba.org> wrote:

> 
> > Von: Rowland Penny via samba <samba at lists.samba.org>
> > An: samba at lists.samba.org
> > Datum: 22.09.2016 13:18
> > Betreff: Re: [Samba] permissions of new files and directories
> > Gesendet von: "samba" <samba-bounces at lists.samba.org>
> >
> > On Thu, 22 Sep 2016 11:53:36 +0200
> > Philipp Snizek via samba <samba at lists.samba.org> wrote:
> >
> > >
> > >
> > > Hello
> > >
> > > I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both
> > > Windows DCs are Win 2012 R2 in 2008 R2 mode.
> > >
> > > This is the smb.conf:
> > >
> > > [global]
> > >     workgroup = MYDOM
> > >     server string = Fileserver
> > >     netbios name = myhostname
> > >     winbind separator = +
> > >     security = ADS
> > >     admin users = %D+administrator, %D+backupmaster
> > >     realm = MYDOM.WHEREVER
> > >     kerberos method = secrets and keytab
> > >     winbind enum users = yes
> > >     winbind enum groups = yes
> > >     winbind nss info = template
> > >     winbind use default domain = no
> > >     winbind refresh tickets = true
> > >     winbind nested groups = yes
> > >     idmap config *:backend = rid
> > >     idmap config *:range = 100000-100000000
> > >     idmap config *:base_rid = 0
> > >     template shell = /usr/bin/nologin
> > >     template homedir = /home/%D/users/%U
> > >     obey pam restrictions = yes
> > >     allow trusted domains = no
> > >     client use spnego = yes
> > >     client signing = auto
> > >     preferred master = no
> > >     load printers = no
> > >     unix charset = UTF8
> > >     log file = /var/log/samba/log.%m
> > >     log level = 3
> > >     max log size = 50000
> > >     server max protocol = SMB3
> > >     map untrusted to domain = yes
> > >     log writeable files on exit = yes
> > >
> > > This is one of the many team share configs. They are all like
> > > this.
> > >
> > > [Team_XXX]
> > >     comment = Team XXX
> > >     path = "/home/teams1/team_xxx"
> > >     browseable = yes
> > >     write list = "@%D+team xxx"
> > >     admin users = @%D+domänen-admins
> > >     valid users = @%D+domänen-admins, "@%D+team xxx"
> > >     public = no
> > >     force group = "%D+team xxx"
> > >     directory mask = 0770
> > >     create mask = 0660
> > >
> > > When I as member of %D+team xxx create a new directory in this
> > > share, the permissions of the new directory become 750 instead of
> > > 770. New created files do get 660.
> > > I have tried force directory mode = 0770 to no effect. I've also
> > > tried inherit permissions = yes. New created files then get 660
> > > and directories get 750 instead of 770.
> > >
> > > Thanks for helping out.
> > >
> > > Best regards,
> > > Philipp
> > >
> >
> > Can I suggest you change your smb.conf to this:
> >
> > [global]
> >     netbios name = myhostname
> >     security = ADS
> >     workgroup = MYDOM
> >     realm = MYDOM.WHEREVER
> >     server string = Fileserver
> >
> >     log file = /var/log/samba/log.%m
> >     log level = 3
> >     max log size = 50000
> >
> >     winbind separator = +
> >     kerberos method = secrets and keytab
> >     winbind enum users = yes
> >     winbind enum groups = yes
> >     winbind refresh tickets = true
> >
> >     idmap config *:backend = tdb
> >     idmap config *:range = 2000-9999
> >
> >     idmap config MYDOM:backend = rid
> >     idmap config MYDOM:range = 100000-100000000
> >
> >     template shell = /usr/bin/nologin
> >     template homedir = /home/%D/users/%U
> >     obey pam restrictions = yes
> >     allow trusted domains = no
> >     preferred master = no
> >     load printers = no
> >     map untrusted to domain = yes
> >     log writeable files on exit = yes
> >
> > [Team_XXX]
> >     comment = Team XXX
> >     path = /home/teams1/team_xxx
> >     browseable = yes
> >     read only = no
> >
> >
> > Then read and follow this:
> >
> > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> 
> I've tried to run with POSIX ACLs to set permissions/ownerships on the
> share directory only, "/home/teams1/team_xxx" in this example. This
> directory would get 0770 and with inherit permissions or directory
> mask = and create mask = my hopes were to achieve the correct
> permissions. Would that work with your suggestions? Following the
> link you've sent me I have the impression that I am leaving my
> concept. I don't want anyone to use Windows' Security tab, not even
> us admins.
> 
> Thank you
> Philipp
> 
> 

If you must use posix ACLs, see here:

https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs

Rowland

More information about the samba mailing list