samba - Apr 2017 - Problem with Samba 4.5.8 as a macOS server

Hello all,

I’m trying to use samba 4.5.8 as a file server for my Macs (all 10.12.4 now), as
a replacement for netatalk.

I did setup smb.conf as suggested

	#
	# Options for macOS
	#
http://netatalk.sourceforge.net/wiki/index.php/Netatalk_3.1.11_SRPM_for_Fedora_and_CentOS
<http://netatalk.sourceforge.net/wiki/index.php/Netatalk_3.1.11_SRPM_for_Fedora_and_CentOS>
	#
	ea support = yes
	vfs objects = btrfs catia fruit streams_xattr
	fruit:encoding = native
	streams_xattr:store_stream_type = no
	streams_xattr:prefix = user.
	# don’t use unix ext.
	unix extensions = no 

and a share

[Transfer]
	path = /data/Transfer
	public = yes
	writable = yes
	printable = no
	create mask = 0775
	directory mask = 0775

Switching between afp:// and smb:// on the Mac looks exactly the same (eg Tags
are seen on both sides), the performance under Finder via smb:// for this share
is visibly faster (lots of files there). So that’s perfect :-)

The problem is the create/directory mask: it is totally ignored! Every
file/folder I create via smb has no group write access, although the mask should
give it this. Even the force modes are ignored.

On the Mac: smbutil statshares -a

Transfer                      
                              SERVER_NAME                   XXXXXX
                              USER_ID                       502
                              SMB_NEGOTIATE                
SMBV_NEG_SMB1_ENABLED
                              SMB_NEGOTIATE                
SMBV_NEG_SMB2_ENABLED
                              SMB_NEGOTIATE                
SMBV_NEG_SMB3_ENABLED
                              SMB_VERSION                   SMB_3.02
                              SMB_SHARE_TYPE                DISK
                              SIGNING_SUPPORTED             TRUE
                              EXTENDED_SECURITY_SUPPORTED   TRUE
                              UNIX_SUPPORT                  TRUE
                              LARGE_FILE_SUPPORTED          TRUE
                              OS_X_SERVER                   TRUE
                              CLIENT_REQUIRES_SIGNING       TRUE
                              FILE_IDS_SUPPORTED            TRUE
                              DFS_SUPPORTED                 TRUE
                              FILE_LEASING_SUPPORTED        TRUE
                              MULTI_CREDIT_SUPPORTED        TRUE
                              ENCRYPTION_SUPPORTED          TRUE
                              SIGNING_ON                    TRUE


Any idea what is going on here? Did I miss something?

Best regards
Frank

Am 03.04.2017 um 15:46 schrieb Frank Heldt via samba:
> Switching between afp:// and smb:// on the Mac looks exactly the same (eg
Tags are seen on both sides), the performance under Finder via smb:// for this
share is visibly faster (lots of files there). So that’s perfect :-)
>
> The problem is the create/directory mask: it is totally ignored! Every
file/folder I create via smb has no group write access, although the mask should
give it this. Even the force modes are ignored.
>
> Any idea what is going on here? Did I miss something?
the stupid apple clients are doing chmod *after* the transfer, so the 
files are *created* with the correct permissions but afterwards changed

samba is *really* missing a option 'ignore chmod and answer with 
success' because that makes so much problems on environments where you 
define user permissions based on groups for whole shares and hence you 
have users in multiple groups

currently the only very dirty workaround si running a cronjob every day 
make sure permissions are 0770/0660 but that's hardly a good solution 
and since apple reacts completly stupid thebest bet is put your head in 
the sand and use 2777 recursive so that finder not pretends "you have no 
write permissions" while the user in fact has

On Mon, Apr 03, 2017 at 03:46:49PM +0200, Frank Heldt via samba
wrote:
> Hello all,
> 
> I’m trying to use samba 4.5.8 as a file server for my Macs (all 10.12.4
now), as a replacement for netatalk.
> 
> I did setup smb.conf as suggested
> 
> 	#
> 	# Options for macOS
> 	#
http://netatalk.sourceforge.net/wiki/index.php/Netatalk_3.1.11_SRPM_for_Fedora_and_CentOS
<http://netatalk.sourceforge.net/wiki/index.php/Netatalk_3.1.11_SRPM_for_Fedora_and_CentOS>
> 	#
> 	ea support = yes
> 	vfs objects = btrfs catia fruit streams_xattr
btrfs should be put to the end of the list.
> 	fruit:encoding = native
> 	streams_xattr:store_stream_type = no
> 	streams_xattr:prefix = user.
please be aware that the last two options are seldomly used and currently not
tested in out test-suite. They should work, but ymmv.
> 	# don’t use unix ext.
> 	unix extensions = no 
10.12 Macs will use SMB3 and this option is (atm) a SMB1 thingy, so it has no
effect.
> 
> and a share
> 
> [Transfer]
> 	path = /data/Transfer
> 	public = yes
> 	writable = yes
> 	printable = no
> 	create mask = 0775
> 	directory mask = 0775
> 
> Switching between afp:// and smb:// on the Mac looks exactly the same (eg
Tags
> are seen on both sides), the performance under Finder via smb:// for this
> share is visibly faster (lots of files there). So that’s perfect :-)
> 
> The problem is the create/directory mask: it is totally ignored! Every
> file/folder I create via smb has no group write access, although the mask
> should give it this. Even the force modes are ignored.
Please try setting the global option

  fruit:nfs_aces = no

Alternatively you can set the global umask on the clients to 0 (instead of the
default 022).

Cheerio!
-slow

Thank you for your fast response!

> Am 03.04.2017 um 19:24 schrieb Ralph Böhme <slow at samba.org>:
> 
> On Mon, Apr 03, 2017 at 03:46:49PM +0200, Frank Heldt via samba wrote:
>> Hello all,
>> 
>> I’m trying to use samba 4.5.8 as a file server for my Macs (all 10.12.4
now), as a replacement for netatalk.
>> 
>> I did setup smb.conf as suggested
>> 
>> 	#
>> 	# Options for macOS
>> 	#
http://netatalk.sourceforge.net/wiki/index.php/Netatalk_3.1.11_SRPM_for_Fedora_and_CentOS
<http://netatalk.sourceforge.net/wiki/index.php/Netatalk_3.1.11_SRPM_for_Fedora_and_CentOS>
>> 	#
>> 	ea support = yes
>> 	vfs objects = btrfs catia fruit streams_xattr
> 
> btrfs should be put to the end of the list.
Putting it at the end of the list resulted in smb core dumping :-(
> 
>> 	fruit:encoding = native
>> 	streams_xattr:store_stream_type = no
>> 	streams_xattr:prefix = user.
> 
> please be aware that the last two options are seldomly used and currently
not
> tested in out test-suite. They should work, but ymmv.
As I explained, this share was a netatalk share and I wanted to retain esp. the
tags. This setting did it :-)
> 
>> 	# don’t use unix ext.
>> 	unix extensions = no 
> 
> 10.12 Macs will use SMB3 and this option is (atm) a SMB1 thingy, so it has
no effect.
You’re right, this was a leftover from my first tests. I was playing with
cifs:// mounting (this is SMB1 where the setting makes indeed a difference). But
then I realised that we loose all the performance gains with SMB1...
> 
>> 
>> and a share
>> 
>> [Transfer]
>> 	path = /data/Transfer
>> 	public = yes
>> 	writable = yes
>> 	printable = no
>> 	create mask = 0775
>> 	directory mask = 0775
>> 
>> Switching between afp:// and smb:// on the Mac looks exactly the same
(eg Tags
>> are seen on both sides), the performance under Finder via smb:// for
this
>> share is visibly faster (lots of files there). So that’s perfect :-)
>> 
>> The problem is the create/directory mask: it is totally ignored! Every
>> file/folder I create via smb has no group write access, although the
mask
>> should give it this. Even the force modes are ignored.
> 
> Please try setting the global option
> 
>  fruit:nfs_aces = no
And that’s exactly what I was looking for! Works like a charm :-)
Thanks a lot for the hint!
> 
> Alternatively you can set the global umask on the clients to 0 (instead of
the
> default 022).
> 
Changing the umask on the clients can be dangerous, as it is a „global"
setting. I only wanted to change it for this share.
> Cheerio!
> -slow
Again, thanks a lot :-)
Frank