samba - Sep 2016 - permissions of new files and directories

Hello

I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both Windows DCs
are Win 2012 R2 in 2008 R2 mode.

This is the smb.conf:

[global]
    workgroup = MYDOM
    server string = Fileserver
    netbios name = myhostname
    winbind separator = +
    security = ADS
    admin users = %D+administrator, %D+backupmaster
    realm = MYDOM.WHEREVER
    kerberos method = secrets and keytab
    winbind enum users = yes
    winbind enum groups = yes
    winbind nss info = template
    winbind use default domain = no
    winbind refresh tickets = true
    winbind nested groups = yes
    idmap config *:backend = rid
    idmap config *:range = 100000-100000000
    idmap config *:base_rid = 0
    template shell = /usr/bin/nologin
    template homedir = /home/%D/users/%U
    obey pam restrictions = yes
    allow trusted domains = no
    client use spnego = yes
    client signing = auto
    preferred master = no
    load printers = no
    unix charset = UTF8
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 50000
    server max protocol = SMB3
    map untrusted to domain = yes
    log writeable files on exit = yes

This is one of the many team share configs. They are all like this.

[Team_XXX]
    comment = Team XXX
    path = "/home/teams1/team_xxx"
    browseable = yes
    write list = "@%D+team xxx"
    admin users = @%D+domänen-admins
    valid users = @%D+domänen-admins, "@%D+team xxx"
    public = no
    force group = "%D+team xxx"
    directory mask = 0770
    create mask = 0660

When I as member of %D+team xxx create a new directory in this share, the
permissions of the new directory become 750 instead of 770. New created
files do get 660.
I have tried force directory mode = 0770 to no effect. I've also tried
inherit permissions = yes. New created files then get 660 and directories
get 750 instead of 770.

Thanks for helping out.

Best regards,
Philipp

On Thu, 22 Sep 2016 11:53:36 +0200
Philipp Snizek via samba <samba at lists.samba.org> wrote:
> 
> 
> Hello
> 
> I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both Windows
> DCs are Win 2012 R2 in 2008 R2 mode.
> 
> This is the smb.conf:
> 
> [global]
>     workgroup = MYDOM
>     server string = Fileserver
>     netbios name = myhostname
>     winbind separator = +
>     security = ADS
>     admin users = %D+administrator, %D+backupmaster
>     realm = MYDOM.WHEREVER
>     kerberos method = secrets and keytab
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind nss info = template
>     winbind use default domain = no
>     winbind refresh tickets = true
>     winbind nested groups = yes
>     idmap config *:backend = rid
>     idmap config *:range = 100000-100000000
>     idmap config *:base_rid = 0
>     template shell = /usr/bin/nologin
>     template homedir = /home/%D/users/%U
>     obey pam restrictions = yes
>     allow trusted domains = no
>     client use spnego = yes
>     client signing = auto
>     preferred master = no
>     load printers = no
>     unix charset = UTF8
>     log file = /var/log/samba/log.%m
>     log level = 3
>     max log size = 50000
>     server max protocol = SMB3
>     map untrusted to domain = yes
>     log writeable files on exit = yes
> 
> This is one of the many team share configs. They are all like this.
> 
> [Team_XXX]
>     comment = Team XXX
>     path = "/home/teams1/team_xxx"
>     browseable = yes
>     write list = "@%D+team xxx"
>     admin users = @%D+domänen-admins
>     valid users = @%D+domänen-admins, "@%D+team xxx"
>     public = no
>     force group = "%D+team xxx"
>     directory mask = 0770
>     create mask = 0660
> 
> When I as member of %D+team xxx create a new directory in this share,
> the permissions of the new directory become 750 instead of 770. New
> created files do get 660.
> I have tried force directory mode = 0770 to no effect. I've also tried
> inherit permissions = yes. New created files then get 660 and
> directories get 750 instead of 770.
> 
> Thanks for helping out.
> 
> Best regards,
> Philipp
> 
Can I suggest you change your smb.conf to this:

[global]
    netbios name = myhostname
    security = ADS
    workgroup = MYDOM
    realm = MYDOM.WHEREVER
    server string = Fileserver

    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 50000

    winbind separator = +
    kerberos method = secrets and keytab
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = true

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    idmap config MYDOM:backend = rid
    idmap config MYDOM:range = 100000-100000000

    template shell = /usr/bin/nologin
    template homedir = /home/%D/users/%U
    obey pam restrictions = yes
    allow trusted domains = no
    preferred master = no
    load printers = no
    map untrusted to domain = yes
    log writeable files on exit = yes

[Team_XXX]
    comment = Team XXX
    path = /home/teams1/team_xxx
    browseable = yes
    read only = no


Then read and follow this:

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Rowland

> Von: Rowland Penny via samba <samba at lists.samba.org>
> An: samba at lists.samba.org
> Datum: 22.09.2016 13:18
> Betreff: Re: [Samba] permissions of new files and directories
> Gesendet von: "samba" <samba-bounces at lists.samba.org>
>
> On Thu, 22 Sep 2016 11:53:36 +0200
> Philipp Snizek via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > Hello
> >
> > I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both
Windows
> > DCs are Win 2012 R2 in 2008 R2 mode.
> >
> > This is the smb.conf:
> >
> > [global]
> >     workgroup = MYDOM
> >     server string = Fileserver
> >     netbios name = myhostname
> >     winbind separator = +
> >     security = ADS
> >     admin users = %D+administrator, %D+backupmaster
> >     realm = MYDOM.WHEREVER
> >     kerberos method = secrets and keytab
> >     winbind enum users = yes
> >     winbind enum groups = yes
> >     winbind nss info = template
> >     winbind use default domain = no
> >     winbind refresh tickets = true
> >     winbind nested groups = yes
> >     idmap config *:backend = rid
> >     idmap config *:range = 100000-100000000
> >     idmap config *:base_rid = 0
> >     template shell = /usr/bin/nologin
> >     template homedir = /home/%D/users/%U
> >     obey pam restrictions = yes
> >     allow trusted domains = no
> >     client use spnego = yes
> >     client signing = auto
> >     preferred master = no
> >     load printers = no
> >     unix charset = UTF8
> >     log file = /var/log/samba/log.%m
> >     log level = 3
> >     max log size = 50000
> >     server max protocol = SMB3
> >     map untrusted to domain = yes
> >     log writeable files on exit = yes
> >
> > This is one of the many team share configs. They are all like this.
> >
> > [Team_XXX]
> >     comment = Team XXX
> >     path = "/home/teams1/team_xxx"
> >     browseable = yes
> >     write list = "@%D+team xxx"
> >     admin users = @%D+domänen-admins
> >     valid users = @%D+domänen-admins, "@%D+team xxx"
> >     public = no
> >     force group = "%D+team xxx"
> >     directory mask = 0770
> >     create mask = 0660
> >
> > When I as member of %D+team xxx create a new directory in this share,
> > the permissions of the new directory become 750 instead of 770. New
> > created files do get 660.
> > I have tried force directory mode = 0770 to no effect. I've also
tried
> > inherit permissions = yes. New created files then get 660 and
> > directories get 750 instead of 770.
> >
> > Thanks for helping out.
> >
> > Best regards,
> > Philipp
> >
>
> Can I suggest you change your smb.conf to this:
>
> [global]
>     netbios name = myhostname
>     security = ADS
>     workgroup = MYDOM
>     realm = MYDOM.WHEREVER
>     server string = Fileserver
>
>     log file = /var/log/samba/log.%m
>     log level = 3
>     max log size = 50000
>
>     winbind separator = +
>     kerberos method = secrets and keytab
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind refresh tickets = true
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>
>     idmap config MYDOM:backend = rid
>     idmap config MYDOM:range = 100000-100000000
>
>     template shell = /usr/bin/nologin
>     template homedir = /home/%D/users/%U
>     obey pam restrictions = yes
>     allow trusted domains = no
>     preferred master = no
>     load printers = no
>     map untrusted to domain = yes
>     log writeable files on exit = yes
>
> [Team_XXX]
>     comment = Team XXX
>     path = /home/teams1/team_xxx
>     browseable = yes
>     read only = no
>
>
> Then read and follow this:
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
I've tried to run with POSIX ACLs to set permissions/ownerships on the
share directory only, "/home/teams1/team_xxx" in this example. This
directory would get 0770 and with inherit permissions or directory mask and
create mask = my hopes were to achieve the correct permissions. Would
that work with your suggestions? Following the link you've sent me I have
the impression that I am leaving my concept. I don't want anyone to use
Windows' Security tab, not even us admins.

Thank you
Philipp