This is a resubmission of bug 8332 from 2011, but it was never fixed and probably long forgotten. My samba version is 4.0.21, but I think all prior and later versions are affected as well. The annoyance is big, I hope one can please fix this, if you need further info let me know! I have a Default ACL like this set up on my ext4-Filesystem: sudo setfacl -R -d -m u::rwx,g::rwx,g:privusers:rwx,o::- data getfacl looks like this: # file: data/ # owner: lobo # group: privusers user::rwx group::rwx group:privusers:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:privusers:rwx default:mask::rwx default:other::--- when I now create a directory directly on the filesystem (without samba) the acl is correctly applied and inherited: mkdir test getfacl test # file: test/ # owner: lobo # group: users user::rwx group::rwx group:privusers:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:privusers:rwx default:mask::rwx default:other::--- when I create a file inside this folder in directly on the server, the acl works as expected: touch test/testfile getfacl test/testfile # file: test/testfile # owner: lobo # group: users user::rw- group::rwx #effective:rw- group:privusers:rwx #effective:rw- mask::rw- other::--- but when I create a file on my mounted folder on Windows 7 the acl looks like this: getfacl test/testwindows # file: test/testwindows # owner: grmuser # group: privusers user::rwx group::rwx group:privusers:rwx mask::rwx other::--- so everybody gets unnecessary X-permissions my Samba-Config looks like this: [grmdata] path = /media/grmdata/smbshare public = no comment = grm-files inherit permissions = Yes inherit acls = Yes available = yes browseable = yes guest ok = no writable = yes valid users = grmuser popcorn read list = popcorn vfs objects = /usr/lib/samba/vfs/recycle.so recycle:repository=.recycle recycle:versions=True recycle:touch=True recycle:keeptree=True recycle:exclude=*.tmp|*.temp|*.o|*.obj|~$* recycle:exclude_dir=/tmp|/temp|/cache recycle:directory_mode=750 Comment 1Paul Barker 2012-08-28 13:04:54 UTC I have this exact problem: With ACLs enabled, files are being created with mode 0670 despite the create mask being 0660. This results in the ACL 'mask::rwx' and the execute bit being set where it shouldn't be. This bug also appears to be a duplicate of bug 6042. This is a fresh install of Openfiler ESA 2.99.1 running Samba 3.5.6. Here is my samba config as displayed by testparm: [global] workgroup = BETAFIVE realm = BETAFIVE.CO.UK server string = Openfiler NAS security = ADS map to guest = Bad User obey pam restrictions = Yes password server = 192.168.0.40 guest account = ofguest pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 0 load printers = No os level = 0 local master = No domain master = No idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /mnt/vg0/users/users/%U template shell = /sbin/nologin winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes create mask = 0660 force create mode = 0660 security mask = 0660 directory mask = 0770 force directory mode = 0770 directory security mask = 0770 map archive = No [users] comment = users path = /mnt/vg0/files/users read only = No hosts allow = 192.168.0.0/24 veto files = /*:Zone.Identifier:*/ veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ Any further details can be provided on request.
This is due to the different umasks in your normal environment, and in smbd. smbd has a umask of 0, and so will not mask off any group bits when inheriting an ACL. Look at your default ACL on the dir: # file: test/ # owner: lobo # group: users user::rwx group::rwx group:privusers:rwx mask::rwx other::--- default:user::rwx default:group::rwx default:group:privusers:rwx default:mask::rwx default:other::--- Now when you create a file via smbd, you get exactly what the default entries suggest you should get - i.e.: # file: test/testwindows # owner: grmuser # group: privusers user::rwx group::rwx group:privusers:rwx mask::rwx other::--- Remember, the "security mask" and "directory mask" parameters were removed for Samba 4.0.x.
(In reply to comment #1) Hi Jeremy, thanks for your comment, though I do not see how this helps me fix this inconsistence. What do I need to change to make the effective permissions resulting through Samba be the same as on the command line? Change the umask of smbd? I want these effective permissions by any means: # file: test/testwindows # owner: lobo # group: users user::rw- group::rwx #effective:rw- group:privusers:rwx #effective:rw- mask::rw- other::---
Change the inheritable permissions on the containing directory.
*** Bug 8332 has been marked as a duplicate of this bug. ***
*** Bug 6042 has been marked as a duplicate of this bug. ***
(In reply to comment #3) > Change the inheritable permissions on the containing directory. You mean the default acl permissions? I can't set those to rw- because then any created subdirectories will default to be inaccessible. The point here is that files create on the command line yield mask::rw- while those created through samba yield mask::rwx, and that is incorrect. How can I ensure that mask::rw- will be effective for files created through Samba?
(In reply to Dennis Verspuij from comment #6) Has there been any followup on this? I'm experiencing the exact same problem and have not been able to resolve it. I'm running 4.1.6+dfsg-1 on Ubuntu 14.04LTS Thanks.
(In reply to Scott Gillespie from comment #7) Unfortunately not, and I haven't been able to workaround this either, I learned to live with it and manually correct ACL every now and then. Samba's behaviour is inconsistent with any other means mangling with ACL, but too bad the developers just seem to ignore this fact.
I also have this issue and I've seen people report it as a bug on other lists as far back as 2007. Ex: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410048 Even if it's the intended behavior it's confusing. Jeremy, can you elaborate on what you mean by "change the inheritable permissions on the containing directory." I'd like to get things to work like Dennis describes in comment 2. What exactly is create mask doing when ACLs are being used?