samba - Mar 2018 - loss of group permissions on created Directories when using vfs objects = catia fruit streams_xattr

On Fri, Mar 16, 2018 at 03:37:43PM +0000, James Craig via samba
wrote:
> The problem occurs when enabling the vfs option and creating Folders from a
> Mac - it creates all new folders with the correct owner and group but seems
to
> force 0755 permissions (drwxr-xr-x) .  This clearly causes us problems as
the
> Mac users then cannot use the shares correctly to edit or delete data
created
> by other team members.
set

  fruit:nfs_aces = no

in your global smb.conf section.

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG Key Fingerprint:           FAE2 C608 8A24 2520 51C5
                               59E4 AA1E 9B71 2639 9E46

Hi All,

I'm hoping you can help, I've recently built a Samba server on Ubuntu
16.04lts and bound it to our AD for security.  This server was created to
support a small number of Mac users who also authenticate via AD but still allow
general Windows client access as well.

The problem I have is the video editing software they require makes use of the
'vfs objects = catia fruit streams_xattr'  function in Samba but when I
enable this feature globally or via share it causes problems with the
permissions of newly created directories and only when created from Macs.   With
the above vfs option disabled All new folders in the share are created with 0777
permissions and are forced to create as the owner with the group permission
forced to "Domain Users" any files are created the same but with 0770.
I have tested this with Windows, Mac and Linux clients and it works perfectly.

The problem occurs when enabling the vfs option and creating Folders from a Mac
- it creates all new folders with the correct owner and group but seems to force
0755 permissions (drwxr-xr-x)  .  This clearly causes us problems as the Mac
users then cannot use the shares correctly to edit or delete data created by
other team members.

Original linux permissions on the directory/samba share root:domain users 0770
I have also tried recreating the directory with permissions of 2770  - this made
no difference and the problem remains.

I hope you can help,  smb.conf below

#================= Samba Configuration File =============#
#       Samba configuration prepared by xxx
#
#       Samba install is Active Directory bound using winbind
#       for support contact xxxx
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.

#======================= Global Settings ======================
[global]

workgroup = xxx
server string = Some string here
security = ads
realm = AD.AD.AD
domain master = no
local master = no
preferred master = no
printcap name = /etc/printcap
load printers = no

idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999

idmap config AD:backend = rid
idmap config AD:range = 10000-99999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true

template homedir = /home/%D%U
template shell = /bin/false

client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2

log file = /var/log/samba/log.%m
log level = 2
max log size = 1000

[CS-DATA]
        comment = Data Share on server
        path = /media/CS-DATA/CS-DATA
        valid users = "@AD\Domain Admins" "@AD\group _RW"
"@AD\group2 _RW "
        force group = "domain users"
        writable = yes
        read only = no
        create mask = 0770
        force create mode = 0660
        directory mask = 0777
        force directory mode = 0770
        access based share enum = yes
        hide unreadable = yes
        vfs objects = catia fruit streams_xattr

-- 
*******************************************************************************
Please see the important Legal Notice concerning this email at
http://www.hanover.org.uk/email-notice/
This email and any files transmitted with it are confidential. If you are not
the intended recipient of this e-mail please contact the sender immediately and
do not copy, send or disclose it to any other person.
Reasonable care has been taken to ensure this communication does not contain
computer viruses, but no responsibility is accepted and recipients are advised
to undertake their own checks
Principal Group entity:
Hanover Housing Association (Exempt Charity, Registered Society No 16324R);
Registered in England & Wales, Registered office: Nelson House, Alington
Road, Little Barford, St Neots, PE19 6RE
*******************************************************************************

On Fri, 16 Mar 2018 15:37:43 +0000
James Craig via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> I'm hoping you can help, I've recently built a Samba server on
Ubuntu
> 16.04lts and bound it to our AD for security.  This server was
> created to support a small number of Mac users who also authenticate
> via AD but still allow general Windows client access as well.
> 
> The problem I have is the video editing software they require makes
> use of the 'vfs objects = catia fruit streams_xattr'  function in
> Samba but when I enable this feature globally or via share it causes
> problems with the permissions of newly created directories and only
> when created from Macs.   With the above vfs option disabled All new
> folders in the share are created with 0777 permissions and are forced
> to create as the owner with the group permission forced to "Domain
> Users" any files are created the same but with 0770.  I have tested
> this with Windows, Mac and Linux clients and it works perfectly.
> 
> The problem occurs when enabling the vfs option and creating Folders
> from a Mac - it creates all new folders with the correct owner and
> group but seems to force 0755 permissions (drwxr-xr-x)  .  This
> clearly causes us problems as the Mac users then cannot use the
> shares correctly to edit or delete data created by other team members.
> 
> Original linux permissions on the directory/samba share root:domain
> users 0770 I have also tried recreating the directory with
> permissions of 2770  - this made no difference and the problem
> remains.
> 
> I hope you can help,  smb.conf below
> 
> #================= Samba Configuration File =============> #
> #       Samba configuration prepared by xxx
> #
> #       Samba install is Active Directory bound using winbind
> #       for support contact xxxx
> #
> # NOTE: Whenever you modify this file you should run the command
> # "testparm" to check that you have not made any basic syntactic
> # errors.
> 
> #======================= Global Settings ======================> 
> [global]
> 
> workgroup = xxx
> server string = Some string here
> security = ads
> realm = AD.AD.AD
> domain master = no
> local master = no
> preferred master = no
> printcap name = /etc/printcap
> load printers = no
> 
> idmap backend = tdb
> idmap uid = 10000-99999
> idmap gid = 10000-99999
> 
> idmap config AD:backend = rid
> idmap config AD:range = 10000-99999
You might want to take a look here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

You have a mixture of the old ways of doing idmap and the new.
> 
> [CS-DATA]
>         comment = Data Share on server
>         path = /media/CS-DATA/CS-DATA
>         valid users = "@AD\Domain Admins" "@AD\group
_RW" "@AD\group2
> _RW " force group = "domain users"
>         writable = yes
>         read only = no
I take it that you do not know that 'writable = yes' and 'read only
no' mean the same thing and you only need one of them.

Rowland