On 24/02/15 20:35, Rowland Penny wrote:> On 24/02/15 20:23, John wrote: >> I apologise for asking a basic question but I haven't been able to >> determine a sensible answer. >> >> I am using 4.1.17 as AD-DC. All configured and working with user home >> directories via [homes] and some other specific shares. >> >> Windows 7 client jointed to domain, users can log in and create files in >> their home directory. >> >> However the system permissions on those files are not what I expect and >> I am trying to understand why. >> >> My [homes] sets "create mask" and "directory mask" to 0700 but >> everything created has "0770". >> >> I have another share with a create mask of 0755. Files in there get >> 0775. >> >> I have checked with testparm that there is nothing configured to set to >> 0770 anywhere. it's like there is a "force create mode" but there isn't: >> >> $ testparm -v | grep -e 'force.*mode' >> force create mode = 00 >> force directory mode = 00 >> >> What am I missing? What could be overriding my permissions ? >> >> Thanks for any advice, >> John >> >> > > For one thing you are missing the fact that [homes] doesn't work with > a samba4 DC, you should also be using ACLs instead of 'force mode' etc.Hmm, I didn't know that. Is that officially stated anywhere? It does appear to work for me except for the permissions issue. Could you elaborate on what doesn't work - there's probably something I haven't hit on yet.> > Try browsing the wiki: https://wiki.samba.org/index.php/Main_Page;) Goes without saying - it was the first placed I turned to but it isn't always straightforward to find where the answers are.> > For your home share see: > https://wiki.samba.org/index.php/Setting_up_a_home_share > > For ACLs see: > > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Change_permissions_on_folders_of_a_share > >I'll look at these in more detail. I'm already using ACLs though but I'll look at the alternative way to implement home directories. What the above doesn't explain is why I am seeing additional permissions being applied on the server filesystem. It isn't a homes issue because it happens on other shares too. I'd like to get to the bottom of that one... Something is applying an OR-mask of 0770 to whatever files' permissions should be. The question is what...?> Rowland >
On 26/02/15 09:42, John wrote:> On 24/02/15 20:35, Rowland Penny wrote: >> On 24/02/15 20:23, John wrote: >>> I apologise for asking a basic question but I haven't been able to >>> determine a sensible answer. >>> >>> I am using 4.1.17 as AD-DC. All configured and working with user home >>> directories via [homes] and some other specific shares. >>> >>> Windows 7 client jointed to domain, users can log in and create files in >>> their home directory. >>> >>> However the system permissions on those files are not what I expect and >>> I am trying to understand why. >>> >>> My [homes] sets "create mask" and "directory mask" to 0700 but >>> everything created has "0770". >>> >>> I have another share with a create mask of 0755. Files in there get >>> 0775. >>> >>> I have checked with testparm that there is nothing configured to set to >>> 0770 anywhere. it's like there is a "force create mode" but there isn't: >>> >>> $ testparm -v | grep -e 'force.*mode' >>> force create mode = 00 >>> force directory mode = 00 >>> >>> What am I missing? What could be overriding my permissions ? >>> >>> Thanks for any advice, >>> John >>> >>> >> For one thing you are missing the fact that [homes] doesn't work with >> a samba4 DC, you should also be using ACLs instead of 'force mode' etc. > Hmm, I didn't know that. Is that officially stated anywhere? It does > appear to work for me except for the permissions issue. Could you > elaborate on what doesn't work - there's probably something I haven't > hit on yet.It is on the wikipage: https://wiki.samba.org/index.php/Setting_up_a_home_share#Adding_the_share I have now updated it, to make it a bit more explicit.>> Try browsing the wiki: https://wiki.samba.org/index.php/Main_Page > ;) Goes without saying - it was the first placed I turned to but it > isn't always straightforward to find where the answers are. >> For your home share see: >> https://wiki.samba.org/index.php/Setting_up_a_home_share >> >> For ACLs see: >> >> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Change_permissions_on_folders_of_a_share >> >> > I'll look at these in more detail. I'm already using ACLs though but > I'll look at the alternative way to implement home directories. > > What the above doesn't explain is why I am seeing additional permissions > being applied on the server filesystem. It isn't a homes issue because > it happens on other shares too. I'd like to get to the bottom of that > one... Something is applying an OR-mask of 0770 to whatever files' > permissions should be. The question is what...?Follow the wiki page above, don't set *anything* on the share in smb.conf, do it all with ACLs Rowland> >> Rowland >> >
I've gotten to the bottom of the misleading permissions. From "man acl":> If the ACL has an ACL_MASK entry, the group permissions correspond tothe permissions of the ACL_MASK entry. So, when you do "ls -l" on a file with an ACL containing a mask entry, what you see is the "owner, MASK, other" permissions and not "owner, GROUP, other" as you would expect. See also http://unix.stackexchange.com/questions/147499 for a discussion of this topic. Now, in the world of Samba/Windows.... If I create a new directory (e.g. mkdir /srv/samba-demo) it gets 755 permissions in accordance with my umask. This is reflected by ls $ mkdir /srv/samba-demo $ ls -ld /srv/samba-demo drwxr-xr-x 2 root root 4096 Feb 26 13:11 /srv/samba-demo There is no ACL $ getfacl -cp /srv/samba-demo user::rwx group::r-x other::r-x Everything is as one would expect. I share it with an entry in smb.conf, as per https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs#Adding_a_new_share [demo] path = /srv/samba-demo read only = no I create a file in the directory; it gets 644 permissions: $ touch /srv/samba-demo/foo.txt $ ls -l /srv/samba-demo/foo.txt -rw-r--r-- 1 root root 0 Feb 26 13:21 /srv/samba-demo/foo.txt $ getfacl -cp /srv/samba-demo/foo.txt user::rw- group::r-- other::r-- All as one would expect. However, create a file on the share from Windows and it's given an ACL mask and 744 permissions (I also wonder why this isn't 644). $ getfacl -cp /srv/samba-demo/bar.txt user::rwx group::r-- group:users:r-- group:3000000:rwx mask::rwx other::r-- which gives the misleading output in "ls" due to the mask. $ ls -l /srv/samba-demo/bar.txt -rwxrwxr--+ 1 3000000 users 0 Feb 26 13:25 /srv/samba-demo/bar.txt Changing the directory permissions via Windows (properties->security) generates an ACL mask in the same way. So, that's what's going on. I have to admit to not having used acl on the linux side very much. I learnt something today. Perhaps this info is of use to others. QED.