[Samba] loss of group permissions on created Directories when using vfs objects = catia fruit streams_xattr

Rowland Penny rpenny at samba.org
Fri Mar 16 16:40:08 UTC 2018


On Fri, 16 Mar 2018 15:37:43 +0000
James Craig via samba <samba at lists.samba.org> wrote:

> Hi All,
> 
> I'm hoping you can help, I've recently built a Samba server on Ubuntu
> 16.04lts and bound it to our AD for security.  This server was
> created to support a small number of Mac users who also authenticate
> via AD but still allow general Windows client access as well.
> 
> The problem I have is the video editing software they require makes
> use of the 'vfs objects = catia fruit streams_xattr'  function in
> Samba but when I enable this feature globally or via share it causes
> problems with the permissions of newly created directories and only
> when created from Macs.   With the above vfs option disabled All new
> folders in the share are created with 0777 permissions and are forced
> to create as the owner with the group permission forced to "Domain
> Users" any files are created the same but with 0770.  I have tested
> this with Windows, Mac and Linux clients and it works perfectly.
> 
> The problem occurs when enabling the vfs option and creating Folders
> from a Mac - it creates all new folders with the correct owner and
> group but seems to force 0755 permissions (drwxr-xr-x)  .  This
> clearly causes us problems as the Mac users then cannot use the
> shares correctly to edit or delete data created by other team members.
> 
> Original linux permissions on the directory/samba share root:domain
> users 0770 I have also tried recreating the directory with
> permissions of 2770  - this made no difference and the problem
> remains.
> 
> I hope you can help,  smb.conf below
> 
> #================= Samba Configuration File ==============
> #
> #       Samba configuration prepared by xxx
> #
> #       Samba install is Active Directory bound using winbind
> #       for support contact xxxx
> #
> # NOTE: Whenever you modify this file you should run the command
> # "testparm" to check that you have not made any basic syntactic
> # errors.
> 
> #======================= Global Settings =======================
> 
> [global]
> 
> workgroup = xxx
> server string = Some string here
> security = ads
> realm = AD.AD.AD
> domain master = no
> local master = no
> preferred master = no
> printcap name = /etc/printcap
> load printers = no
> 
> idmap backend = tdb
> idmap uid = 10000-99999
> idmap gid = 10000-99999
> 
> idmap config AD:backend = rid
> idmap config AD:range = 10000-99999

You might want to take a look here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

You have a mixture of the old ways of doing idmap and the new.

> 
> [CS-DATA]
>         comment = Data Share on server
>         path = /media/CS-DATA/CS-DATA
>         valid users = "@AD\Domain Admins" "@AD\group _RW" "@AD\group2
> _RW " force group = "domain users"
>         writable = yes
>         read only = no

I take it that you do not know that 'writable = yes' and 'read only =
no' mean the same thing and you only need one of them.

Rowland




More information about the samba mailing list