[Samba] simple permission scheme messed up with unwanted ACLs - how to fix?

Valentijn Sessink v.sessink at openoffice.nl
Thu Feb 10 13:19:58 UTC 2022

Hello list,

I'm trying to have /home/users/ and everything below it 
readable/writable for every mac/linux user in a small office network 
based on an Ubuntu Linux server; but since a couple of weeks, extra ACLs 
seem to pop up from Apple users. What is the best way to setup this 
rather simple permission scheme?

I found so many smb.conf settings that I don't know which ones are 
vital. A rough guess is that just setting "ea support = no" would be 
enough, but I'm not even sure. I found:
- ea support
- inherit acls (would that help?)
- inherit owner (probably unnecessary because "force group"?)
- inherit permissions (Help, I just read inherit acls and now what does 
*this* do?)
- nt acl support (should that be "no" because I want it the other way?)

Which setting(s) would serve me best? There are no Windows machines 
attached so I'm probably not helped with the Windows ACL scheme because, 
as far as I understand, I'd need a Windows machine to fix any file 
rights afterwards.

* Setup *
What I'm seeing, with getfacl, is:
# file: Jane/Meeting/Draft/20220205 design.odt
# owner: jane
# group: users

This is rather unwanted, as the share has:
force group = users
force directory mode = 2770
force create mode = 0660
directory mask  = 2770
create mode = 0660
writable = yes
path = /home/users
valid users = @users

These files are written by MacOS and obviously, OSX makes use of the 
extended ACL possibilities of the Linux file system.

Server is ubuntu 20.04, Ubuntu samba version 

I did read 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs and 
https://wiki.samba.org/index.php/NFS4_ACL_overview; I also tried to find 
my way in smb.conf but I just don't know which option does what. I'm 
just trying to find a way to have every file in /home/users be 
readable/writable for everyone in @users.

There are no Windows machines in this network, it's all MacOS and Linux. 
I'd rather not have MacOS mess with permissions, as my end users are 
unaware of stuff like "file permissions" and "inheritance" anyway, so 
files that are unreadable or unwritable for them are just signs of a 
failing server. (And in a way, I agree).

Further smb.conf settings that could be of interest:

workgroup = office
unix extensions = yes
vfs objects = fruit streams_xattr
fruit:metadata = stream
veto files = /.DS_Store/._.DS_Store/
security = user
mangled names = illegal

http://www.openoffice.nl/   Open Office - Linux Office Solutions
Valentijn Sessink  v.sessink at openoffice.nl  +31(0)20-4214059

More information about the samba mailing list