samba - Sep 2016 - Antwort: Re: permissions of new files and directories

> Von: Rowland Penny via samba <samba at lists.samba.org>
> An: samba at lists.samba.org
> Datum: 22.09.2016 13:18
> Betreff: Re: [Samba] permissions of new files and directories
> Gesendet von: "samba" <samba-bounces at lists.samba.org>
>
> On Thu, 22 Sep 2016 11:53:36 +0200
> Philipp Snizek via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > Hello
> >
> > I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both
Windows
> > DCs are Win 2012 R2 in 2008 R2 mode.
> >
> > This is the smb.conf:
> >
> > [global]
> >     workgroup = MYDOM
> >     server string = Fileserver
> >     netbios name = myhostname
> >     winbind separator = +
> >     security = ADS
> >     admin users = %D+administrator, %D+backupmaster
> >     realm = MYDOM.WHEREVER
> >     kerberos method = secrets and keytab
> >     winbind enum users = yes
> >     winbind enum groups = yes
> >     winbind nss info = template
> >     winbind use default domain = no
> >     winbind refresh tickets = true
> >     winbind nested groups = yes
> >     idmap config *:backend = rid
> >     idmap config *:range = 100000-100000000
> >     idmap config *:base_rid = 0
> >     template shell = /usr/bin/nologin
> >     template homedir = /home/%D/users/%U
> >     obey pam restrictions = yes
> >     allow trusted domains = no
> >     client use spnego = yes
> >     client signing = auto
> >     preferred master = no
> >     load printers = no
> >     unix charset = UTF8
> >     log file = /var/log/samba/log.%m
> >     log level = 3
> >     max log size = 50000
> >     server max protocol = SMB3
> >     map untrusted to domain = yes
> >     log writeable files on exit = yes
> >
> > This is one of the many team share configs. They are all like this.
> >
> > [Team_XXX]
> >     comment = Team XXX
> >     path = "/home/teams1/team_xxx"
> >     browseable = yes
> >     write list = "@%D+team xxx"
> >     admin users = @%D+domänen-admins
> >     valid users = @%D+domänen-admins, "@%D+team xxx"
> >     public = no
> >     force group = "%D+team xxx"
> >     directory mask = 0770
> >     create mask = 0660
> >
> > When I as member of %D+team xxx create a new directory in this share,
> > the permissions of the new directory become 750 instead of 770. New
> > created files do get 660.
> > I have tried force directory mode = 0770 to no effect. I've also
tried
> > inherit permissions = yes. New created files then get 660 and
> > directories get 750 instead of 770.
> >
> > Thanks for helping out.
> >
> > Best regards,
> > Philipp
> >
>
> Can I suggest you change your smb.conf to this:
>
> [global]
>     netbios name = myhostname
>     security = ADS
>     workgroup = MYDOM
>     realm = MYDOM.WHEREVER
>     server string = Fileserver
>
>     log file = /var/log/samba/log.%m
>     log level = 3
>     max log size = 50000
>
>     winbind separator = +
>     kerberos method = secrets and keytab
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind refresh tickets = true
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>
>     idmap config MYDOM:backend = rid
>     idmap config MYDOM:range = 100000-100000000
>
>     template shell = /usr/bin/nologin
>     template homedir = /home/%D/users/%U
>     obey pam restrictions = yes
>     allow trusted domains = no
>     preferred master = no
>     load printers = no
>     map untrusted to domain = yes
>     log writeable files on exit = yes
>
> [Team_XXX]
>     comment = Team XXX
>     path = /home/teams1/team_xxx
>     browseable = yes
>     read only = no
>
>
> Then read and follow this:
>
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
I've tried to run with POSIX ACLs to set permissions/ownerships on the
share directory only, "/home/teams1/team_xxx" in this example. This
directory would get 0770 and with inherit permissions or directory mask and
create mask = my hopes were to achieve the correct permissions. Would
that work with your suggestions? Following the link you've sent me I have
the impression that I am leaving my concept. I don't want anyone to use
Windows' Security tab, not even us admins.

Thank you
Philipp

On Thu, 22 Sep 2016 14:36:34 +0200
Philipp Snizek via samba <samba at lists.samba.org> wrote:
> 
> > Von: Rowland Penny via samba <samba at lists.samba.org>
> > An: samba at lists.samba.org
> > Datum: 22.09.2016 13:18
> > Betreff: Re: [Samba] permissions of new files and directories
> > Gesendet von: "samba" <samba-bounces at
lists.samba.org>
> >
> > On Thu, 22 Sep 2016 11:53:36 +0200
> > Philipp Snizek via samba <samba at lists.samba.org> wrote:
> >
> > >
> > >
> > > Hello
> > >
> > > I'm running  Samba 4.3.9 on Ubuntu 14 as domain member. Both
> > > Windows DCs are Win 2012 R2 in 2008 R2 mode.
> > >
> > > This is the smb.conf:
> > >
> > > [global]
> > >     workgroup = MYDOM
> > >     server string = Fileserver
> > >     netbios name = myhostname
> > >     winbind separator = +
> > >     security = ADS
> > >     admin users = %D+administrator, %D+backupmaster
> > >     realm = MYDOM.WHEREVER
> > >     kerberos method = secrets and keytab
> > >     winbind enum users = yes
> > >     winbind enum groups = yes
> > >     winbind nss info = template
> > >     winbind use default domain = no
> > >     winbind refresh tickets = true
> > >     winbind nested groups = yes
> > >     idmap config *:backend = rid
> > >     idmap config *:range = 100000-100000000
> > >     idmap config *:base_rid = 0
> > >     template shell = /usr/bin/nologin
> > >     template homedir = /home/%D/users/%U
> > >     obey pam restrictions = yes
> > >     allow trusted domains = no
> > >     client use spnego = yes
> > >     client signing = auto
> > >     preferred master = no
> > >     load printers = no
> > >     unix charset = UTF8
> > >     log file = /var/log/samba/log.%m
> > >     log level = 3
> > >     max log size = 50000
> > >     server max protocol = SMB3
> > >     map untrusted to domain = yes
> > >     log writeable files on exit = yes
> > >
> > > This is one of the many team share configs. They are all like
> > > this.
> > >
> > > [Team_XXX]
> > >     comment = Team XXX
> > >     path = "/home/teams1/team_xxx"
> > >     browseable = yes
> > >     write list = "@%D+team xxx"
> > >     admin users = @%D+domänen-admins
> > >     valid users = @%D+domänen-admins, "@%D+team xxx"
> > >     public = no
> > >     force group = "%D+team xxx"
> > >     directory mask = 0770
> > >     create mask = 0660
> > >
> > > When I as member of %D+team xxx create a new directory in this
> > > share, the permissions of the new directory become 750 instead of
> > > 770. New created files do get 660.
> > > I have tried force directory mode = 0770 to no effect. I've
also
> > > tried inherit permissions = yes. New created files then get 660
> > > and directories get 750 instead of 770.
> > >
> > > Thanks for helping out.
> > >
> > > Best regards,
> > > Philipp
> > >
> >
> > Can I suggest you change your smb.conf to this:
> >
> > [global]
> >     netbios name = myhostname
> >     security = ADS
> >     workgroup = MYDOM
> >     realm = MYDOM.WHEREVER
> >     server string = Fileserver
> >
> >     log file = /var/log/samba/log.%m
> >     log level = 3
> >     max log size = 50000
> >
> >     winbind separator = +
> >     kerberos method = secrets and keytab
> >     winbind enum users = yes
> >     winbind enum groups = yes
> >     winbind refresh tickets = true
> >
> >     idmap config *:backend = tdb
> >     idmap config *:range = 2000-9999
> >
> >     idmap config MYDOM:backend = rid
> >     idmap config MYDOM:range = 100000-100000000
> >
> >     template shell = /usr/bin/nologin
> >     template homedir = /home/%D/users/%U
> >     obey pam restrictions = yes
> >     allow trusted domains = no
> >     preferred master = no
> >     load printers = no
> >     map untrusted to domain = yes
> >     log writeable files on exit = yes
> >
> > [Team_XXX]
> >     comment = Team XXX
> >     path = /home/teams1/team_xxx
> >     browseable = yes
> >     read only = no
> >
> >
> > Then read and follow this:
> >
> > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> 
> I've tried to run with POSIX ACLs to set permissions/ownerships on the
> share directory only, "/home/teams1/team_xxx" in this example.
This
> directory would get 0770 and with inherit permissions or directory
> mask = and create mask = my hopes were to achieve the correct
> permissions. Would that work with your suggestions? Following the
> link you've sent me I have the impression that I am leaving my
> concept. I don't want anyone to use Windows' Security tab, not even
> us admins.
> 
> Thank you
> Philipp
> 
> 
If you must use posix ACLs, see here:

https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs

Rowland

> Von: Rowland Penny via samba <samba at lists.samba.org>
> An: samba at lists.samba.org
> Datum: 22.09.2016 15:14
> Betreff: Re: [Samba] Antwort: Re:  permissions of new files and
directories
> Gesendet von: "samba" <samba-bounces at lists.samba.org>
>
> On Thu, 22 Sep 2016 14:36:34 +0200
> Philipp Snizek via samba <samba at lists.samba.org> wrote:
>
> >
> > > Von: Rowland Penny via samba <samba at lists.samba.org>
> > > An: samba at lists.samba.org
> > > Datum: 22.09.2016 13:18
> > > Betreff: Re: [Samba] permissions of new files and directories
> > > Gesendet von: "samba" <samba-bounces at
lists.samba.org>
> > >
> > > On Thu, 22 Sep 2016 11:53:36 +0200
> > > Philipp Snizek via samba <samba at lists.samba.org> wrote:
> > >
> > > >
> > > >
> > > > Hello
> > > >
> > > > I'm running  Samba 4.3.9 on Ubuntu 14 as domain member.
Both
> > > > Windows DCs are Win 2012 R2 in 2008 R2 mode.
> > > >
> > > > This is the smb.conf:
> > > >
> > > > [global]
> > > >     workgroup = MYDOM
> > > >     server string = Fileserver
> > > >     netbios name = myhostname
> > > >     winbind separator = +
> > > >     security = ADS
> > > >     admin users = %D+administrator, %D+backupmaster
> > > >     realm = MYDOM.WHEREVER
> > > >     kerberos method = secrets and keytab
> > > >     winbind enum users = yes
> > > >     winbind enum groups = yes
> > > >     winbind nss info = template
> > > >     winbind use default domain = no
> > > >     winbind refresh tickets = true
> > > >     winbind nested groups = yes
> > > >     idmap config *:backend = rid
> > > >     idmap config *:range = 100000-100000000
> > > >     idmap config *:base_rid = 0
> > > >     template shell = /usr/bin/nologin
> > > >     template homedir = /home/%D/users/%U
> > > >     obey pam restrictions = yes
> > > >     allow trusted domains = no
> > > >     client use spnego = yes
> > > >     client signing = auto
> > > >     preferred master = no
> > > >     load printers = no
> > > >     unix charset = UTF8
> > > >     log file = /var/log/samba/log.%m
> > > >     log level = 3
> > > >     max log size = 50000
> > > >     server max protocol = SMB3
> > > >     map untrusted to domain = yes
> > > >     log writeable files on exit = yes
> > > >
> > > > This is one of the many team share configs. They are all
like
> > > > this.
> > > >
> > > > [Team_XXX]
> > > >     comment = Team XXX
> > > >     path = "/home/teams1/team_xxx"
> > > >     browseable = yes
> > > >     write list = "@%D+team xxx"
> > > >     admin users = @%D+domänen-admins
> > > >     valid users = @%D+domänen-admins, "@%D+team
xxx"
> > > >     public = no
> > > >     force group = "%D+team xxx"
> > > >     directory mask = 0770
> > > >     create mask = 0660
> > > >
> > > > When I as member of %D+team xxx create a new directory in
this
> > > > share, the permissions of the new directory become 750
instead of
> > > > 770. New created files do get 660.
> > > > I have tried force directory mode = 0770 to no effect.
I've also
> > > > tried inherit permissions = yes. New created files then get
660
> > > > and directories get 750 instead of 770.
> > > >
> > > > Thanks for helping out.
> > > >
> > > > Best regards,
> > > > Philipp
> > > >
> > >
> > > Can I suggest you change your smb.conf to this:
> > >
> > > [global]
> > >     netbios name = myhostname
> > >     security = ADS
> > >     workgroup = MYDOM
> > >     realm = MYDOM.WHEREVER
> > >     server string = Fileserver
> > >
> > >     log file = /var/log/samba/log.%m
> > >     log level = 3
> > >     max log size = 50000
> > >
> > >     winbind separator = +
> > >     kerberos method = secrets and keytab
> > >     winbind enum users = yes
> > >     winbind enum groups = yes
> > >     winbind refresh tickets = true
> > >
> > >     idmap config *:backend = tdb
> > >     idmap config *:range = 2000-9999
> > >
> > >     idmap config MYDOM:backend = rid
> > >     idmap config MYDOM:range = 100000-100000000
> > >
> > >     template shell = /usr/bin/nologin
> > >     template homedir = /home/%D/users/%U
> > >     obey pam restrictions = yes
> > >     allow trusted domains = no
> > >     preferred master = no
> > >     load printers = no
> > >     map untrusted to domain = yes
> > >     log writeable files on exit = yes
> > >
> > > [Team_XXX]
> > >     comment = Team XXX
> > >     path = /home/teams1/team_xxx
> > >     browseable = yes
> > >     read only = no
> > >
> > >
> > > Then read and follow this:
> > >
> > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> >
> > I've tried to run with POSIX ACLs to set permissions/ownerships on
the
> > share directory only, "/home/teams1/team_xxx" in this
example. This
> > directory would get 0770 and with inherit permissions or directory
> > mask = and create mask = my hopes were to achieve the correct
> > permissions. Would that work with your suggestions? Following the
> > link you've sent me I have the impression that I am leaving my
> > concept. I don't want anyone to use Windows' Security tab, not
even
> > us admins.
> >
> > Thank you
> > Philipp
> >
> >
>
> If you must use posix ACLs, see here:
>
> https://wiki.samba.org/index.php/Shares_with_POSIX_ACLs
>
Yes, this is what I want.
The global section I configured according to your suggestions, thank you
for spotting all those needless default settings.

My "testing" share now looks like this:

[team_informatik]
    comment = Team Informatik
    path = /home/teams/team_informatik
    browseable = no
    valid users = +%D+"team informatik"
    public = no

chmod 2770 /home/teams/team_informatik
smbcontrol all reload-config

When I on my Win 10, 1511, client create a new folder in this share the new
folder's permissions are rwxr-s---.

After adding force directory mode = 0770 to this section and reloading the
config a newly created folder still gets rwxr-s--- permissions. Members of
the same group cannot delete this folder.
If I understand the bitwise OR-ing correctly this parameter should
definitely override the permissions to 0770.

What am I missing?

Philipp