samba - May 2012 - security mask for extended ACL permissions / change of create mode for Samba

Dear All,

I manage a Debian Squeeze GNU/Linux (with kernel 2.6.32-5-686 #1 SMP) 
with Samba 3.5.6 (samba 2:3.5.6~dfsg-3squeeze8 package is installed).

I have a "test" directory with native Linux ACL permissions. getfacl 
test's output:

# file: test
# owner: akos
# group: grp
# flags: -s-
user::rwx
group::rwx
group:read:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:read:r-x
default:mask::rwx
default:other::---

If I create a new file (called linfile) under this directory, its 
permissions are the following: (as I expected)

# file: linfile
# owner: akos
# group: grp
user::rw-
group::rwx                      #effective:rw-
group:read:r-x                  #effective:r--
mask::rw-
other::---

If I create a new file (called winfile) under this directory via Samba 
(from another Linux machine or from another Windows machine), its 
permissions are the following: (as I didn't expect)

# file: winfile
# owner: akos
# group: grp
user::rw-
group::rw-
group:read:r-x
mask::rwx
other::---

My problem is regarding to the read group's (extended ACL) permissions 
or better saying regarding to the mask of extended ACL permissions. With 
other worlds the extended execute bit of the file disturb me.

The legacy owner group's permissions are correct because of the security 
mask of smb.conf, but I couldn't find a security mask which is valid for 
the extended permissions. As I read about it on the net, the base of the 
problem is that Linux's touch command and the samba file creation rutine 
use different mode(?)/umask(?) to create a new file. How can I change them?

I read the archive and the whole Google but I couldn't find a way how to 
solve this problem however sombody elses also wrote about this issue. 
:-) Please help me and please forgive me if I only missconfigured my 
system. :-)

The relevant part of the smb.conf:

[file-server]
     comment = File Server
     path = ***somewhere in the world - because of security reason***
     browsable = yes
     read only = no
     guest ok = no
#    create mask = 0660
#    directory mask = 0770
     security mask = 0666
     directory security mask = 7777
     inherit permissions = yes
     map archive = no
     map hidden = no
     map system = no

AFAIK create mask and directory mask are irrelevant in case of 
inheritance of permissions - that's why they are uncommented.

Thanx in advance for any help.

Best regards,
?kos
-- 
N?METH, ?kos

e-mail: nemethakos at f-labor.mkt.bme.hu
web:    http://f-labor.mkt.bme.hu/~akos

Le 06/05/2012 23:59, N?meth ?kos Ferenc a ?crit :
> Dear All,
>
> I manage a Debian Squeeze GNU/Linux (with kernel 2.6.32-5-686 #1 SMP)
> with Samba 3.5.6 (samba 2:3.5.6~dfsg-3squeeze8 package is installed).
>
> I have a "test" directory with native Linux ACL permissions.
getfacl
> test's output:
>
> # file: test
> # owner: akos
> # group: grp
> # flags: -s-
> user::rwx
> group::rwx
> group:read:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:read:r-x
> default:mask::rwx
> default:other::---
>
> If I create a new file (called linfile) under this directory, its
> permissions are the following: (as I expected)
>
> # file: linfile
> # owner: akos
> # group: grp
> user::rw-
> group::rwx #effective:rw-
> group:read:r-x #effective:r--
> mask::rw-
> other::---
>
> If I create a new file (called winfile) under this directory via Samba
> (from another Linux machine or from another Windows machine), its
> permissions are the following: (as I didn't expect)
>
> # file: winfile
> # owner: akos
> # group: grp
> user::rw-
> group::rw-
> group:read:r-x
> mask::rwx
> other::---
>
> My problem is regarding to the read group's (extended ACL) permissions
> or better saying regarding to the mask of extended ACL permissions. With
> other worlds the extended execute bit of the file disturb me.
>
> The legacy owner group's permissions are correct because of the
security
> mask of smb.conf, but I couldn't find a security mask which is valid
for
> the extended permissions. As I read about it on the net, the base of the
> problem is that Linux's touch command and the samba file creation
rutine
> use different mode(?)/umask(?) to create a new file. How can I change them?
>
> I read the archive and the whole Google but I couldn't find a way how
to
> solve this problem however sombody elses also wrote about this issue.
> :-) Please help me and please forgive me if I only missconfigured my
> system. :-)
>
> The relevant part of the smb.conf:
>
> [file-server]
> comment = File Server
> path = ***somewhere in the world - because of security reason***
> browsable = yes
> read only = no
> guest ok = no
> # create mask = 0660
> # directory mask = 0770
> security mask = 0666
> directory security mask = 7777
> inherit permissions = yes
> map archive = no
> map hidden = no
> map system = no
>
> AFAIK create mask and directory mask are irrelevant in case of
> inheritance of permissions - that's why they are uncommented.
>
> Thanx in advance for any help.
>
> Best regards,
> ?kos
Three days ago, I discovered the exact same issue.
I have plenty of previous samba 3.0.something samba servers on RHEL 5.6 
running fine with ACLs, and they behave like expected by me and by ?kos.
But on a recent install on Ubuntu oneiric and samba 3.5..., I had to add 
the create and directory modes for them to respect the previous behaviour.

I took the time to checks the diffs between the 'testparm -v' (please 
not the -v ) between RHEL/smb3.0 and Ubuntu/smb3.5 but clearly saw NO 
difference.

So for the time being, my workaround is the use of create and dir modes, 
but I'd be glad to be enlighted on that situation.

-- 
Nicolas Ecarnot