samba - Nov 2009 - mac client and inherited permissions

Hi everyone,
We are a longtime samba/win desktop shop but are getting more Macs.
Samba sernet rpms  3.3.9 on CentOS 5.4 test box (started to test 3.43
but will wait) and I confirmed a problem I have been having in
production.
Server is ADS member with ldap stored idmap. All AD auth and idmap are
identical to production servers and have been working fine for years.
Filesystem is XFS and there are no acls applied in this test.

Problem:
Windows clients honor SGID and inherit/create mask statements. Mac
10.6.2 or 10.5.8 clients do not seem to.

Test share properties:
[ncts]
	path = /share/ncts
	valid users = "+NIH\NIA IRP ncts"
	write list = "+NIH\NIA IRP ncts"
	read only = No
	acl group control = Yes
	create mask = 0770
	force create mode = 0770  ## added just for test
	directory mask = 0770
	force directory mode = 0770 ## added just for test
	inherit permissions = Yes
	inherit acls = Yes
	map acl inherit = Yes
	veto files = /*.m4a/*.mp3
	veto oplock files = /*.mdb/*.MDB/*.fp?/*.FP?/*.tif/*.TIF/*.par/*.PAR/
*.xls/*.XLS/*.pst/*.PST/*.pab/*.PAB/
	store dos attributes = Yes
	dos filemode = Yes

share top level permissions:
drwxrws--- 8 root nia irp ncts    89 Nov 19 11:11 ncts

windows directory created from winxp current patchlevel:
drwxrws--- 2 weberc nia irp ncts 6 Nov 19 10:49 cwwin1

mac directories created from Mac:
cw[1-3] from 10.5.8
cwm6[2-3] from 10.6.2

drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 10:32 cw1
drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 10:39 cw2
drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 10:42 cw3
drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 11:03 cwm62
drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 11:11 cwm63

So the sgid does not get transmitted and even with the "force
directory mode"  rights do not get set.

Any ideas about what I have missed?
Thanks,
Chuck

Try setting unix extensions = no

     unix extensions (G)

           This boolean parameter controls whether Samba implments the CIFS
           UNIX extensions, as defined by HP. These extensions enable Samba
           to better serve UNIX CIFS clients by supporting features such as
           symbolic links, hard links, etc... These extensions require a
           similarly enabled client, and are of no current use to Windows
           clients.

Mac's can try and be too smart for their own good.

On 20/11/2009, at 3:58 AM, Charles Weber wrote:
> Hi everyone,
> We are a longtime samba/win desktop shop but are getting more Macs.
> Samba sernet rpms  3.3.9 on CentOS 5.4 test box (started to test 3.43
> but will wait) and I confirmed a problem I have been having in
> production.
> Server is ADS member with ldap stored idmap. All AD auth and idmap are
> identical to production servers and have been working fine for years.
> Filesystem is XFS and there are no acls applied in this test.
> 
> Problem:
> Windows clients honor SGID and inherit/create mask statements. Mac
> 10.6.2 or 10.5.8 clients do not seem to.
> 
> Test share properties:
> [ncts]
> 	path = /share/ncts
> 	valid users = "+NIH\NIA IRP ncts"
> 	write list = "+NIH\NIA IRP ncts"
> 	read only = No
> 	acl group control = Yes
> 	create mask = 0770
> 	force create mode = 0770  ## added just for test
> 	directory mask = 0770
> 	force directory mode = 0770 ## added just for test
> 	inherit permissions = Yes
> 	inherit acls = Yes
> 	map acl inherit = Yes
> 	veto files = /*.m4a/*.mp3
> 	veto oplock files = /*.mdb/*.MDB/*.fp?/*.FP?/*.tif/*.TIF/*.par/*.PAR/
> *.xls/*.XLS/*.pst/*.PST/*.pab/*.PAB/
> 	store dos attributes = Yes
> 	dos filemode = Yes
> 
> share top level permissions:
> drwxrws--- 8 root nia irp ncts    89 Nov 19 11:11 ncts
> 
> windows directory created from winxp current patchlevel:
> drwxrws--- 2 weberc nia irp ncts 6 Nov 19 10:49 cwwin1
> 
> mac directories created from Mac:
> cw[1-3] from 10.5.8
> cwm6[2-3] from 10.6.2
> 
> drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 10:32 cw1
> drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 10:39 cw2
> drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 10:42 cw3
> drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 11:03 cwm62
> drwxr-xr-x 2 weberc nia irp ncts 6 Nov 19 11:11 cwm63
> 
> So the sgid does not get transmitted and even with the "force
> directory mode"  rights do not get set.
> 
> Any ideas about what I have missed?
> Thanks,
> Chuck
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--------------
Ryan Parker-Hill, Unix Team Leader
Information Technology Services Division
Deakin University, Waterfront Campus, Victoria 3217 Australia.

Phone: 03 5227 8750 International: +61 3 5227 8750
Fax:   03 5227 8799 International: +61 3 5227 8799
E-mail:   ryan.parker-hill at deakin.edu.au
Website:   http://www.deakin.edu.au

Deakin University CRICOS Provider Code: 00113B (Vic), 02414F (NSW)

Important Notice: The contents of this email transmission, including any
attachments, are intended solely for the named addressee and are
confidential; any unauthorized use, reproduction or storage of the contents
and any attachments is expressly prohibited. If you have received this
transmission in error, please delete it and any attachments from your
system immediately and advise the sender by return email or telephone.
Deakin University does not warrant that this email and any attachments
are error or virus free.

> Problem:
> Windows clients honor SGID and inherit/create mask statements. Mac
> 10.6.2 or 10.5.8 clients do not seem to.
Do the Mac clients themselves use the Samba code?  If so they probably
have UNIX extensions enabled, which allows them to directly control file
permissions.

Under Linux you can disable the UNIX extensions in /proc, so maybe you
can do the same on a Mac?

Cheers,
Adam.

Adam Nielsen wrote:
>> Problem:
>> Windows clients honor SGID and inherit/create mask statements. Mac
>> 10.6.2 or 10.5.8 clients do not seem to.
> 
> Do the Mac clients themselves use the Samba code?  If so they probably
> have UNIX extensions enabled, which allows them to directly control file
> permissions.
> 
> Under Linux you can disable the UNIX extensions in /proc, so maybe you
> can do the same on a Mac?
Yes, disable it in samba server on main settings with following settings:

unix extensions = no

This possibly helps.

--
Eero,
RHCE

Cool it worked.
Thanks,
Chuck
On Nov 20, 2009, at 1:38 AM, Eero Volotinen wrote:
> Adam Nielsen wrote:
>>> Problem:
>>> Windows clients honor SGID and inherit/create mask statements. Mac
>>> 10.6.2 or 10.5.8 clients do not seem to.
>> Do the Mac clients themselves use the Samba code?  If so they probably
>> have UNIX extensions enabled, which allows them to directly control
file
>> permissions.
>> Under Linux you can disable the UNIX extensions in /proc, so maybe you
>> can do the same on a Mac?
> 
> Yes, disable it in samba server on main settings with following settings:
> 
> unix extensions = no
> 
> This possibly helps.
> 
> --
> Eero,
> RHCE
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba