I apologise for asking a basic question but I haven't been able to
determine a sensible answer.
I am using 4.1.17 as AD-DC. All configured and working with user home
directories via [homes] and some other specific shares.
Windows 7 client jointed to domain, users can log in and create files in
their home directory.
However the system permissions on those files are not what I expect and
I am trying to understand why.
My [homes] sets "create mask" and "directory mask" to 0700
but
everything created has "0770".
I have another share with a create mask of 0755. Files in there get 0775.
I have checked with testparm that there is nothing configured to set to
0770 anywhere. it's like there is a "force create mode" but there
isn't:
$ testparm -v | grep -e 'force.*mode'
force create mode = 00
force directory mode = 00
What am I missing? What could be overriding my permissions ?
Thanks for any advice,
John
On 24/02/15 20:23, John wrote:> I apologise for asking a basic question but I haven't been able to > determine a sensible answer. > > I am using 4.1.17 as AD-DC. All configured and working with user home > directories via [homes] and some other specific shares. > > Windows 7 client jointed to domain, users can log in and create files in > their home directory. > > However the system permissions on those files are not what I expect and > I am trying to understand why. > > My [homes] sets "create mask" and "directory mask" to 0700 but > everything created has "0770". > > I have another share with a create mask of 0755. Files in there get 0775. > > I have checked with testparm that there is nothing configured to set to > 0770 anywhere. it's like there is a "force create mode" but there isn't: > > $ testparm -v | grep -e 'force.*mode' > force create mode = 00 > force directory mode = 00 > > What am I missing? What could be overriding my permissions ? > > Thanks for any advice, > John > >For one thing you are missing the fact that [homes] doesn't work with a samba4 DC, you should also be using ACLs instead of 'force mode' etc. Try browsing the wiki: https://wiki.samba.org/index.php/Main_Page For your home share see: https://wiki.samba.org/index.php/Setting_up_a_home_share For ACLs see: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Change_permissions_on_folders_of_a_share Rowland
On 24/02/15 20:35, Rowland Penny wrote:> On 24/02/15 20:23, John wrote: >> I apologise for asking a basic question but I haven't been able to >> determine a sensible answer. >> >> I am using 4.1.17 as AD-DC. All configured and working with user home >> directories via [homes] and some other specific shares. >> >> Windows 7 client jointed to domain, users can log in and create files in >> their home directory. >> >> However the system permissions on those files are not what I expect and >> I am trying to understand why. >> >> My [homes] sets "create mask" and "directory mask" to 0700 but >> everything created has "0770". >> >> I have another share with a create mask of 0755. Files in there get >> 0775. >> >> I have checked with testparm that there is nothing configured to set to >> 0770 anywhere. it's like there is a "force create mode" but there isn't: >> >> $ testparm -v | grep -e 'force.*mode' >> force create mode = 00 >> force directory mode = 00 >> >> What am I missing? What could be overriding my permissions ? >> >> Thanks for any advice, >> John >> >> > > For one thing you are missing the fact that [homes] doesn't work with > a samba4 DC, you should also be using ACLs instead of 'force mode' etc.Hmm, I didn't know that. Is that officially stated anywhere? It does appear to work for me except for the permissions issue. Could you elaborate on what doesn't work - there's probably something I haven't hit on yet.> > Try browsing the wiki: https://wiki.samba.org/index.php/Main_Page;) Goes without saying - it was the first placed I turned to but it isn't always straightforward to find where the answers are.> > For your home share see: > https://wiki.samba.org/index.php/Setting_up_a_home_share > > For ACLs see: > > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Change_permissions_on_folders_of_a_share > >I'll look at these in more detail. I'm already using ACLs though but I'll look at the alternative way to implement home directories. What the above doesn't explain is why I am seeing additional permissions being applied on the server filesystem. It isn't a homes issue because it happens on other shares too. I'd like to get to the bottom of that one... Something is applying an OR-mask of 0770 to whatever files' permissions should be. The question is what...?> Rowland >