hi guys my samba share has inherit acls = Yes and inherits(I guess) from global: create mask = 0744 directory mask = 0755 Now, share's underlying filesystem has acls set on a folder: user::rwx user:me:rwx user:appmgr:r-x group::--- mask::rwx other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- In shell when I create a file in that folder I see: user::rw- user:me:rwx #effective:rw- user:appmgr:r-x #effective:r-- group::--- mask::rw- other::--- but when make new file in Windows client then shell shows: user::rwx user:me:rwx #effective:--- user:appmgr:r-x #effective:--- group::--- mask::--- other::--- Why is that? Am I missing something in samba's configuration? I'm thinking - ideally might be if I got rid of mask but I'm not sure how. many thanks, L.
On Thu, 19 Jul 2018 10:32:04 +0100 lejeczek via samba <samba at lists.samba.org> wrote:> hi guys > > my samba share has > > inherit acls = Yes > > and inherits(I guess) from global: > > create mask = 0744 > directory mask = 0755 > > Now, share's underlying filesystem has acls set on a folder: > > user::rwx > user:me:rwx > user:appmgr:r-x > group::--- > mask::rwx > other::--- > default:user::rwx > default:user:me:rwx > default:user:appmgr:r-x > default:group::--- > default:mask::rwx > default:other::--- > > In shell when I create a file in that folder I see: > > > user::rw- > user:me:rwx #effective:rw- > user:appmgr:r-x #effective:r-- > group::--- > mask::rw- > other::--- > > but when make new file in Windows client then shell shows: > > user::rwx > user:me:rwx #effective:--- > user:appmgr:r-x #effective:--- > group::--- > mask::--- > other::--- > > Why is that? Am I missing something in samba's configuration? > > I'm thinking - ideally might be if I got rid of mask but I'm not sure > how. > > many thanks, L. > > >You don't give us much to go on, but I think you are mixing up using POSIX and Windows ACL's You should use one or the other, not both, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs and here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland
On 19/07/18 10:58, Rowland Penny via samba wrote:> On Thu, 19 Jul 2018 10:32:04 +0100 > lejeczek via samba <samba at lists.samba.org> wrote: > >> hi guys >> >> my samba share has >> >> inherit acls = Yes >> >> and inherits(I guess) from global: >> >> create mask = 0744 >> directory mask = 0755 >> >> Now, share's underlying filesystem has acls set on a folder: >> >> user::rwx >> user:me:rwx >> user:appmgr:r-x >> group::--- >> mask::rwx >> other::--- >> default:user::rwx >> default:user:me:rwx >> default:user:appmgr:r-x >> default:group::--- >> default:mask::rwx >> default:other::--- >> >> In shell when I create a file in that folder I see: >> >> >> user::rw- >> user:me:rwx #effective:rw- >> user:appmgr:r-x #effective:r-- >> group::--- >> mask::rw- >> other::--- >> >> but when make new file in Windows client then shell shows: >> >> user::rwx >> user:me:rwx #effective:--- >> user:appmgr:r-x #effective:--- >> group::--- >> mask::--- >> other::--- >> >> Why is that? Am I missing something in samba's configuration? >> >> I'm thinking - ideally might be if I got rid of mask but I'm not sure >> how. >> >> many thanks, L. >> >> >> > You don't give us much to go on,what is it that I did not give out? Samba is 4.7.1 on Centos 7.5 Except for: inherit acls = Yes everything is samba vanilla default. One thing though is the shares are off glusterfs directly, so: fs objects = glusterfs glusterfs:volume = GROUP-WORK path = / and local filesystem is a mount via autofs with acl option.> but I think you are mixing up usingI fail to see where I'm mixing those up. I do not get how creating files, but also folders, gets me different mask/effective between shell and windows clients, eg of a new folder: shell's mkdir: user::rwx user:me:rwx user:appmgr:r-x group::--- mask::rwx other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- windows via samba: user::rwx user:me:rwx #effective:r-x user:appmgr:r-x group::--- mask::r-x other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- and parent folder has: user::rwx user:me:rwx user:appmgr:r-x group::--- mask::rwx other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- Why samba calculate it differently, I fail to get that.> POSIX and Windows ACL's > You should use one or the other, not both, see here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs > > and here: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Rowland >
On 19/07/18 10:32, lejeczek via samba wrote:> hi guys > > my samba share has > > inherit acls = Yes > > and inherits(I guess) from global: > > create mask = 0744 > directory mask = 0755 > > Now, share's underlying filesystem has acls set on a folder: > > user::rwx > user:me:rwx > user:appmgr:r-x > group::--- > mask::rwx > other::--- > default:user::rwx > default:user:me:rwx > default:user:appmgr:r-x > default:group::--- > default:mask::rwx > default:other::--- > > In shell when I create a file in that folder I see: > > > user::rw- > user:me:rwx #effective:rw- > user:appmgr:r-x #effective:r-- > group::--- > mask::rw- > other::--- > > but when make new file in Windows client then shell shows: > > user::rwx > user:me:rwx #effective:--- > user:appmgr:r-x #effective:--- > group::--- > mask::--- > other::--- > > Why is that? Am I missing something in samba's configuration? > > I'm thinking - ideally might be if I got rid of mask but I'm not sure > how. > > many thanks, L. > > >seems that in my case these make difference: create mask = 0744 directory mask = 0755 if these two are as above then these masks are actually applied and though "inherit acls = Yes" does it's job I end up with (re)calculated effective permissions(different from acl/setfacl asks/sets). Which all in all is probably normal & expected. Although it defeats my logic I confess, I mean it ... "inherit acls = Yes" would/should take with FS's mask along, yet "% mask = $.." in samba config collides/overrides filesystem's mask.
On 19/07/18 13:14, lejeczek via samba wrote:> On 19/07/18 10:32, lejeczek via samba wrote: >> hi guys >> >> my samba share has >> >> inherit acls = Yes >> >> and inherits(I guess) from global: >> >> create mask = 0744 >> directory mask = 0755 >> >> Now, share's underlying filesystem has acls set on a folder: >> >> user::rwx >> user:me:rwx >> user:appmgr:r-x >> group::--- >> mask::rwx >> other::--- >> default:user::rwx >> default:user:me:rwx >> default:user:appmgr:r-x >> default:group::--- >> default:mask::rwx >> default:other::--- >> >> In shell when I create a file in that folder I see: >> >> >> user::rw- >> user:me:rwx #effective:rw- >> user:appmgr:r-x #effective:r-- >> group::--- >> mask::rw- >> other::--- >> >> but when make new file in Windows client then shell shows: >> >> user::rwx >> user:me:rwx #effective:--- >> user:appmgr:r-x #effective:--- >> group::--- >> mask::--- >> other::--- >> >> Why is that? Am I missing something in samba's configuration? >> >> I'm thinking - ideally might be if I got rid of mask but I'm not sure >> how. >> >> many thanks, L. >> >> >> > seems that in my case these make difference: > > create mask = 0744 > directory mask = 0755 > > if these two are as above then these masks are actually applied and > though "inherit acls = Yes" does it's job I end up with (re)calculated > effective permissions(different from acl/setfacl asks/sets). Which all > in all is probably normal & expected. > > Although it defeats my logic I confess, I mean it ... "inherit acls = > Yes" would/should take with FS's mask along, yet "% mask = $.." in > samba config collides/overrides filesystem's mask. > > > >and how that works - boggles my mind even more, having a folder(created by smb/windows) user::rwx user:me:rwx user:appmgr:r-x group::--- mask::rwx other::--- default:user::rwx default:user:me:rwx default:user:appmgr:r-x default:group::--- default:mask::rwx default:other::--- that folder created while smb config already changed to: create mask = 0774 directory mask = 0775 (so seems that dir mask matches/aligns (samba does not change it) with filesystem) And then I create(in smb/win) a file in this newly created folder and: user::rwx user:me:rwx #effective:-w- user:appmgr:r-x #effective:--- group::--- mask::-w- other::--- How samba does it I do not get, yet another confession of mine would be: not an expert on those bit-wise operations.