4

I tested this on a clean install of Debian Jessie, but I also have this problem on other machines (ex: Ubuntu 12.04). In addition to the base install, I installed sudo, samba, and cifs-utils.

Shared Directory With Default ACL

I enabled ACLs on the root file system and created a shared directory:

sudo mount -o remount,acl /
mkdir -p /home/ryan/shared
setfacl -d -m u:ryan:rwx /home/ryan/shared

Samba Config

I left all defaults in /etc/samba/smb.conf and added a single share:

[shared]
    comment =
    path = /home/ryan/shared
    writable = yes
    valid users = ryan

Add Samba User

Then I added myself as a Samba user and restarted the service:

sudo smbpasswd -a ryan
sudo systemctl restart smbd

Linux Client

Next I created a mount point for the Samba share, mounted it, and created an empty text file:

mkdir -p /home/ryan/mnt/shared
sudo mount -t cifs -o user=ryan //127.0.0.1/shared /home/ryan/mnt/shared
touch /home/ryan/mnt/shared/linux.txt

Windows Client

I also connected from a Windows 8 machine and created an empty text file named windows.txt.

Shared Directory Listing

After that, a directory listing of /home/ryan/shared looks like this:

-rw-r--r--+ 1 ryan ryan 0 Jun 20 23:45 linux.txt
-rwxrwxr--+ 1 ryan ryan 0 Jun 20 23:46 windows.txt

File ACLs

The ACL for linux.txt looks like this:

# file: linux.txt
# owner: ryan
# group: ryan
user::rw-
user:ryan:rwx           #effective:r--
group::r-x              #effective:r--
mask::r--
other::r--

The ACL for windows.txt looks like this:

# file: windows.txt
# owner: ryan
# group: ryan
user::rwx
user:ryan:rwx
group::r-x
mask::rwx
other::r--

Questions

The behavior from the Linux client is what I would expect. Why is it different when using a Windows client? How can I get the Windows client to set the same permissions as the Linux client?

Improve this question

2 Answers 2

Reset to default
3

You can have Samba normalize everything the clients send it, see man smb.conf for things like:

create mask = 0775
force create mode = 0660
directory mask = 2775
force directory mode = 2771
Improve this answer
2
  • The create mask and force create mode settings don't seem to have any impact. The security mask settings were deprecated and don't do anything in version 4+. Commented Jun 24, 2015 at 2:30
  • Thanks. I dropped the old setting, was pasting from my 3.5.x smb.conf. One other thing I had issues with was MacOS X clients bypassing this because I was allowing Unix extensions - disallowed by setting unix extensions = no Commented Jun 24, 2015 at 8:27
1

First of all, with only those permissions you don't need ACL. ACL is for more fine grained permissions than user, group and others.

But to answer your question my guess is that the file created by Linux gets its permission from your users umask setting, probably the same permission you would get when creating a file in any other directory.

The Windows environment does not have any such thing as an umask, it does not know anything about the concept of a unix group. Files created in Windows gets permission from settings in smb.conf. Even if you did not enter any such settings yourself they have default values. You can look at those values with the command testparm -s -v smb.conf | grep mask. The mask in smb.conf has the inverse value compared to the same umask. That is, to get a file with premission -rw-r--r-- you need an umask of 022 but a samba create mask of 644.

Improve this answer
2
  • The create mask default is 744, but my Windows example looks like 774. Samba seems to ignore that setting with ACLs, but I can't find any docs explaining what's going on. I've seen it reported as a bug a few times (ex: bugzilla.samba.org/show_bug.cgi?id=10792), but I've never seen the behavior explained before the bugs get closed as invalid. Commented Jun 22, 2015 at 0:19
  • Ouch, this seems like a known but neglected bug in Samba with default create permissions on ACL enabled file systems. If you want or need ACL you might have to manually change permissions after creating files from Samba clients. Commented Jun 22, 2015 at 5:46

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.