samba - Dec 2018 - Samba-created files with POSIX ACLs gaining execute bit

Hello Marco,

I am speaking about POSIX ACLs, yes.

When I create a file via shell I get a 660 file.

When I create a file via Samba I get a 770 file.

I don’t understand why they would be different.  Without ACLs shell / Samba
created files get consistent permissions.

Christian
> On Dec 20, 2018, at 12:29 AM, Marco Gaiarin via samba <samba at
lists.samba.org> wrote:
> 
> Mandi! christian russell via samba
>  In chel di` si favelave...
> 
>> The part that I don’t understand is why the behavior is different when
there are ACLs involved.
> 
> I'm a bit puzzled by the examples, but if you speak about POSIX ACLs,
> here the group permission are also a mask for all group permission
> ACLs.
> 
> See 'mask' in the output of 'getfacl'.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
>  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
>  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento
(PN)
>  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f
+39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 20 Dec 2018 00:38:11 -0800
christian russell via samba <samba at lists.samba.org> wrote:
> Hello Marco,
> 
> I am speaking about POSIX ACLs, yes.
> 
> When I create a file via shell I get a 660 file.
> 
> When I create a file via Samba I get a 770 file.
> 
> I don’t understand why they would be different.  Without ACLs shell /
> Samba created files get consistent permissions.
> 
You posted this earlier:

[share2]
path = /srv/share2 # mode is 0770, ACLs
readonly = no
inherit acts = yes
create mask = 0660

Is that exactly what is set in smb.conf ?
If so, there is a typo ;-)

Can we see your entire smb.conf (less any commented lines), trying to
understand your set up from just seeing the shares isn't enough.

Rowland

On Thu, 20 Dec 2018 01:32:16 -0800
christian russell <christian.baltini at gmail.com> wrote:
> Hi Rowland, I see the typo now too — I retyped it from scratch … oops.
> 
> Here it is.
> 
> [global]
>     workgroup = HOME
>     netbios name = IPA
>     realm = HOME.FRAPLIN.FUN
>     kerberos method = dedicated keytab
>     dedicated keytab file = /etc/samba/samba.keytab
>     create krb5 conf = no
>     security = user
>     domain master = yes
>     domain logons = yes
>     log level = 1
>     max log size = 100000
>     log file = /var/log/samba/log.%m
>     passdb backend = ipasam:ldap://ipa.home.fraplin.fun
>     disable spoolss = yes
>     ldapsam:trusted = yes
>     ldap ssl = off
>     ldap suffix = dc=home,dc=fraplin,dc=fun
>     ldap user suffix = cn=users,cn=accounts
>     ldap group suffix = cn=groups,cn=accounts
>     ldap machine suffix = cn=computers,cn=accounts
>     rpc_server:epmapper = external
>     rpc_server:lsarpc = external
>     rpc_server:lsass = external
>     rpc_server:lsasd = external
>     rpc_server:samr = external
>     rpc_server:netlogon = external
>     rpc_server:tcpip = yes
>     rpc_daemon:epmd = fork
>     rpc_daemon:lsasd = fork
>     unix extensions = no
>     vfs objects = catia fruit streams_xattr
>     fruit:aapl
>     fruit:nfs_aces = no
>     dos filemode = no
>     map archive = no
>     map hidden = no
>     map readonly = no
> 
> [share1]
>     path = /srv/share1
>     guest ok = no
>     create mask = 0660
> 
> [share2]
>     path = /srv/share2
>     guest ok = no
>     create mask = 0660
>     inherit acls = yes
> 
So, you are using Samba with an IPA server and presumably with Apple
clients. I have never used IPA, but I believe you can use 'security ADS'
instead of all the 'ldap' lines.

You could also try adding 'force create mode' to the shares, e.g. force
create mode = 0110

Rowland

On Thu, 20 Dec 2018 08:11:17 -0800
christian baltini <christian.baltini at gmail.com> wrote:
> I am using the default configuration generated by the
> ipa-adtrust-install script.  I could repeat the test without using
> ldap but I doubt we would see any difference. 
I think you may get better help from red-hat if you have an account, if
not try Fedora or Centos, your set up is a non standard Samba one.

Rowland