samba - Mar 2010 - folder permissions with Windows client, Samba server

Hi list -

I've been using Samba since 2.x in the early 2000's, and a papercut I 
had eight years ago still plagues me today - when anyone on a Windows 
client right-clicks a folder on a Samba share and tries to view or 
change its permissions, it doesn't work right.  The folder appears to 
have no permissions enabled for owner, group, or world (regardless of 
what the permissions actually are - and in fact, the Windows user can 
modify the folder or files in it without difficulty).  Worse, if the 
Windows user attempts to SET permissions on the folder, the folder will 
end up with a completely different (and generally completely unusable) 
set of permissions; chmod 700 and chown root, if I recall correctly - so 
then the hapless user who tried to set permissions on a folder that he 
or she could access just fine is locked out of that folder completely 
until someone shells into the Samba server and resets permissions from 
the command line.

I have seen this exact behavior on Samba 2.x / FreeBSD 4.x, 5.x, and 
6.x, both with and without ACLs enabled on the underlying filesystem, 
and just this week when I set up a Samba 3.4.0 server from the Ubuntu 
9.10 repositories, successfully joined it to a Windows 2003 domain with 
Kerberos working and Winbind mapping UIDs and GIDs properly... I STILL 
had the problem with the Windows GUI for setting folder permissions not 
mapping correctly!

Is this something I just have to live with, or is there something I 
don't understand about configuring Samba that would avoid this issue?

The smb.conf for the Ubuntu server I mentioned just now is unchanged 
from the default conf file shipping from the repository, with these 
exceptions:


####### Authentication #######

        security = ads
        realm = DOMAIN.LOCAL
        password server = 192.168.1.20
# note that workgroup is the 'short' domain name
        workgroup = DOMAIN
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

[smbshare]
    comment = root of the Samba-accessible data storage
    read only = no
    writeable = yes
    path = /data/smbshare
    guest ok = no

On 03/10/2010 1:12 PM, Jim Salter wrote:
> Hi list -
>
> I've been using Samba since 2.x in the early 2000's, and a papercut
I
> had eight years ago still plagues me today - when anyone on a Windows 
> client right-clicks a folder on a Samba share and tries to view or 
> change its permissions, it doesn't work right.  The folder appears to 
> have no permissions enabled for owner, group, or world (regardless of 
> what the permissions actually are - and in fact, the Windows user can 
> modify the folder or files in it without difficulty).
The user must click on the "Advanced" button on the Security tab to 
display and modify folder permissions.  Note that file permissions do 
appear on the Security tab.
>   Worse, if the Windows user attempts to SET permissions on the 
> folder, the folder will end up with a completely different (and 
> generally completely unusable) set of permissions; chmod 700 and chown 
> root, if I recall correctly - so then the hapless user who tried to 
> set permissions on a folder that he or she could access just fine is 
> locked out of that folder completely until someone shells into the 
> Samba server and resets permissions from the command line.
>
> I have seen this exact behavior on Samba 2.x / FreeBSD 4.x, 5.x, and 
> 6.x, both with and without ACLs enabled on the underlying filesystem, 
> and just this week when I set up a Samba 3.4.0 server from the Ubuntu 
> 9.10 repositories, successfully joined it to a Windows 2003 domain 
> with Kerberos working and Winbind mapping UIDs and GIDs properly... I 
> STILL had the problem with the Windows GUI for setting folder 
> permissions not mapping correctly!
>
> Is this something I just have to live with, or is there something I 
> don't understand about configuring Samba that would avoid this issue?
You can also fine tune your default permissions.  Check into the inherit 
parameters for owner/group and mask/mode parameters for files and 
directories.

Dale
>
> The smb.conf for the Ubuntu server I mentioned just now is unchanged 
> from the default conf file shipping from the repository, with these 
> exceptions:
>
>
> ####### Authentication #######
>
>        security = ads
>        realm = DOMAIN.LOCAL
>        password server = 192.168.1.20
> # note that workgroup is the 'short' domain name
>        workgroup = DOMAIN
> #       winbind separator = +
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        winbind enum users = yes
>        winbind enum groups = yes
>        template homedir = /home/%D/%U
>        template shell = /bin/bash
>        client use spnego = yes
>        client ntlmv2 auth = yes
>        encrypt passwords = yes
>        winbind use default domain = yes
>        restrict anonymous = 2
>
> [smbshare]
>    comment = root of the Samba-accessible data storage
>    read only = no
>    writeable = yes
>    path = /data/smbshare
>    guest ok = no
>