[Samba] Windows file directory creation permission confusion

L.P.H. van Belle belle at bazuin.nl
Thu Feb 23 08:27:55 UTC 2017 

Hai, Mark

I suggest you try the following if there are no linux users working in the folders also from withing linux. ( so a windows computer/user only share ) 

Apply in this order, because you wil have to check and reset the rights again if you are changeing a share. 
So make a new share, and test before you apply in production. 

Set the folders in linux to 2777  like /home/data/ 
For the folder where the share starts and and all subfolders


Remove these lines from you smb.conf
> force create mode = 0770
> force directory mode = 0770
> create mask = 0660

Add this line to the share.
acl_xattr:ignore system acl = yes

now go here. 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 
go to this section
Setting Share Permissions and ACLs

At the share permissions.. 
Remove both these groups, add autenticated users with full controll.

This allowes users to create folders at the root of you share if you have set a group a the folder security tab that has full control.

If you dont want that, keep it as the example, but add user SYSTEM

Now at the tab security. 
add "Domain Admins" Full control
add "Domain users" list rights or adjust to you needs, but NO full control, if these can write here, they can create folders, which you probely not want.
add "SYSTEM" 
add "Creator Groep" 
( option add creator owner )

Now you might see "S-1-22-2-0" as unresolved user"( thats Creator Owner ) 
Ignore it.

The "special" rights are set for the "Creator .." Dont change it. 

Now create subfolders, 
Inherit the rights from the folder below it, and block (if needed domain users) (set deny list) 
Add the group you want on the this folder. Give it change rights. 
Again no full control, only set full control if you want to allow users to change your folder security rights. Set change rights. 
Make sure this one has also add "Creator Groep" ( and or creator owner ) 

Bit of work but should work. 

Give it a try and let us know the result. 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Markb via samba
> Verzonden: woensdag 22 februari 2017 22:50
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Windows file directory creation permission confusion
> 
> Samba 4
> Simple Samba file share, Domain Controller
> Users - windows 7
> 
> I am having problems getting folder and file permissions to working
> properly from the Windows clients.  No setting I change in smb.conf have
> any effect on files and folders created from windows clients.  (I see
> this kind of question a lot other places so you must be tired of it.)
> 
> Smb.conf
> [GLOBAL]
> force create mode = 0770
> force directory mode = 0770
> create mask = 0660
> 
> I don't have any create/mask statements in the share as they do not seem
> to make a difference.
> I am using a single large file share with sticky gid bit set (2774)
> 
> Goal: files created should have user as owner and sambashare as group
> with 774 permissions.
> 
> Folders are created with 2777 and set GID
> Files created with 0766
> 
> When I started working on this folders were getting created with 2740.
> On the server I chmod g+rw on the share and now folders are created with
> 2777.  (this doesn't make sense to me)
> 
> With every config change I reload the config file with (Ubuntu 16.04 lts):
> sudo /etc/init.d/samba reload
> 
> --
> mark B
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list