samba - Jul 2013 - Removed params 'force security mode' etc. What to use instead?

Hello list,

I noticed that the fix for bug 9190 (inc in samba 4.0) resulted in the 
removal of the following config parameters:

security mask
force security mode
directory mask
force directory security mode

I have a couple questions regarding this, and haven't really seen any 
good info on it, so...

1) Why were they removed? There doesn't seems to be any explanation in 
the bug notes or release notes. Maybe I'm missing something? (not 
judging, just confused)

2) What can be used instead? I don't see any comparable settings in 
samba to obtain the same effect (preventing clients from removing 
certain security bits from existing files, ie group permissions)


I have a situation currently where it looks like I will need to 
implement the above 'force' settings in my samba 3.x environment to deal
with some misbehaving OS X clients that insist on stripping group 
permissions from files in certain situations. I'd rather not start using 
settings that I know are removed in future versions, but I'm not sure of 
a better way. Can anyone recommend the best way to deal with this?

Thanks!
Brian

On 03/07/13 19:56, Brian H. Nelson wrote:

[SNIP]
>
> I have a situation currently where it looks like I will need to
> implement the above 'force' settings in my samba 3.x environment to
deal
> with some misbehaving OS X clients that insist on stripping group
> permissions from files in certain situations. I'd rather not start
using
> settings that I know are removed in future versions, but I'm not sure
of
> a better way. Can anyone recommend the best way to deal with this?
My guess is this is related to the Unix extensions. Basically certain 
versions of OS X; I can't remember which ones but 10.5 sticks in my mind 
but that might be related to symbolic links and it was 10.6 that was the 
problem, notice the file server does Unix extensions and then decides to 
go behind the Samba servers back and fiddle with the permissions.

Here is the kicker however the force settings don't help. It would 
appear that you can override them using the Unix extensions. The only 
solution I could come up with was turning Unix extensions off.

The basics are the SMB client in OS X seems to change it's behaviour 
with every major release, and a working config that deals with them all 
is hard to come by. The rewritten client in 10.7 was particularly bad 
especially in early point releases. From memory it did not become usable 
till 10.7.3


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

I hate to bump, but surely someone can offer some input on this. At 
least question 1?

Thanks,
Brian


On 7/3/2013 2:56 PM, Brian H. Nelson wrote:
> I noticed that the fix for bug 9190 (inc in samba 4.0) resulted in the 
> removal of the following config parameters:
>
> security mask
> force security mode
> directory mask
> force directory security mode
>
> I have a couple questions regarding this, and haven't really seen any 
> good info on it, so...
>
> 1) Why were they removed? There doesn't seems to be any explanation in 
> the bug notes or release notes. Maybe I'm missing something? (not 
> judging, just confused)
>
> 2) What can be used instead? I don't see any comparable settings in 
> samba to obtain the same effect (preventing clients from removing 
> certain security bits from existing files, ie group permissions)