Ralph Böhme
2018-Mar-16 14:47 UTC
[Samba] loss of group permissions on created Directories when using vfs objects = catia fruit streams_xattr
On Fri, Mar 16, 2018 at 03:37:43PM +0000, James Craig via samba wrote:> The problem occurs when enabling the vfs option and creating Folders from a > Mac - it creates all new folders with the correct owner and group but seems to > force 0755 permissions (drwxr-xr-x) . This clearly causes us problems as the > Mac users then cannot use the shares correctly to edit or delete data created > by other team members.set fruit:nfs_aces = no in your global smb.conf section. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5 59E4 AA1E 9B71 2639 9E46
James Craig
2018-Mar-16 15:37 UTC
[Samba] loss of group permissions on created Directories when using vfs objects = catia fruit streams_xattr
Hi All, I'm hoping you can help, I've recently built a Samba server on Ubuntu 16.04lts and bound it to our AD for security. This server was created to support a small number of Mac users who also authenticate via AD but still allow general Windows client access as well. The problem I have is the video editing software they require makes use of the 'vfs objects = catia fruit streams_xattr' function in Samba but when I enable this feature globally or via share it causes problems with the permissions of newly created directories and only when created from Macs. With the above vfs option disabled All new folders in the share are created with 0777 permissions and are forced to create as the owner with the group permission forced to "Domain Users" any files are created the same but with 0770. I have tested this with Windows, Mac and Linux clients and it works perfectly. The problem occurs when enabling the vfs option and creating Folders from a Mac - it creates all new folders with the correct owner and group but seems to force 0755 permissions (drwxr-xr-x) . This clearly causes us problems as the Mac users then cannot use the shares correctly to edit or delete data created by other team members. Original linux permissions on the directory/samba share root:domain users 0770 I have also tried recreating the directory with permissions of 2770 - this made no difference and the problem remains. I hope you can help, smb.conf below #================= Samba Configuration File =============# # Samba configuration prepared by xxx # # Samba install is Active Directory bound using winbind # for support contact xxxx # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors. #======================= Global Settings ====================== [global] workgroup = xxx server string = Some string here security = ads realm = AD.AD.AD domain master = no local master = no preferred master = no printcap name = /etc/printcap load printers = no idmap backend = tdb idmap uid = 10000-99999 idmap gid = 10000-99999 idmap config AD:backend = rid idmap config AD:range = 10000-99999 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true template homedir = /home/%D%U template shell = /bin/false client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m log level = 2 max log size = 1000 [CS-DATA] comment = Data Share on server path = /media/CS-DATA/CS-DATA valid users = "@AD\Domain Admins" "@AD\group _RW" "@AD\group2 _RW " force group = "domain users" writable = yes read only = no create mask = 0770 force create mode = 0660 directory mask = 0777 force directory mode = 0770 access based share enum = yes hide unreadable = yes vfs objects = catia fruit streams_xattr -- ******************************************************************************* Please see the important Legal Notice concerning this email at http://www.hanover.org.uk/email-notice/ This email and any files transmitted with it are confidential. If you are not the intended recipient of this e-mail please contact the sender immediately and do not copy, send or disclose it to any other person. Reasonable care has been taken to ensure this communication does not contain computer viruses, but no responsibility is accepted and recipients are advised to undertake their own checks Principal Group entity: Hanover Housing Association (Exempt Charity, Registered Society No 16324R); Registered in England & Wales, Registered office: Nelson House, Alington Road, Little Barford, St Neots, PE19 6RE *******************************************************************************
Rowland Penny
2018-Mar-16 16:40 UTC
[Samba] loss of group permissions on created Directories when using vfs objects = catia fruit streams_xattr
On Fri, 16 Mar 2018 15:37:43 +0000 James Craig via samba <samba at lists.samba.org> wrote:> Hi All, > > I'm hoping you can help, I've recently built a Samba server on Ubuntu > 16.04lts and bound it to our AD for security. This server was > created to support a small number of Mac users who also authenticate > via AD but still allow general Windows client access as well. > > The problem I have is the video editing software they require makes > use of the 'vfs objects = catia fruit streams_xattr' function in > Samba but when I enable this feature globally or via share it causes > problems with the permissions of newly created directories and only > when created from Macs. With the above vfs option disabled All new > folders in the share are created with 0777 permissions and are forced > to create as the owner with the group permission forced to "Domain > Users" any files are created the same but with 0770. I have tested > this with Windows, Mac and Linux clients and it works perfectly. > > The problem occurs when enabling the vfs option and creating Folders > from a Mac - it creates all new folders with the correct owner and > group but seems to force 0755 permissions (drwxr-xr-x) . This > clearly causes us problems as the Mac users then cannot use the > shares correctly to edit or delete data created by other team members. > > Original linux permissions on the directory/samba share root:domain > users 0770 I have also tried recreating the directory with > permissions of 2770 - this made no difference and the problem > remains. > > I hope you can help, smb.conf below > > #================= Samba Configuration File =============> # > # Samba configuration prepared by xxx > # > # Samba install is Active Directory bound using winbind > # for support contact xxxx > # > # NOTE: Whenever you modify this file you should run the command > # "testparm" to check that you have not made any basic syntactic > # errors. > > #======================= Global Settings ======================> > [global] > > workgroup = xxx > server string = Some string here > security = ads > realm = AD.AD.AD > domain master = no > local master = no > preferred master = no > printcap name = /etc/printcap > load printers = no > > idmap backend = tdb > idmap uid = 10000-99999 > idmap gid = 10000-99999 > > idmap config AD:backend = rid > idmap config AD:range = 10000-99999You might want to take a look here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member You have a mixture of the old ways of doing idmap and the new.> > [CS-DATA] > comment = Data Share on server > path = /media/CS-DATA/CS-DATA > valid users = "@AD\Domain Admins" "@AD\group _RW" "@AD\group2 > _RW " force group = "domain users" > writable = yes > read only = noI take it that you do not know that 'writable = yes' and 'read only no' mean the same thing and you only need one of them. Rowland
Apparently Analagous Threads
- vfs objects = catia fruit streams_xattr / don't see self created files
- vfs objects = catia fruit streams_xattr / don't see self created files
- How the vfs object “fruit” work on samba
- vfs fruit disk_free fails on tmsize overflow with macOS Time Machine
- streams_xattr & streams_depot