Web lists-archives.com

[Samba] loss of group permissions on created Directories when using vfs objects = catia fruit streams_xattr




Hi All,

I'm hoping you can help, I've recently built a Samba server on Ubuntu 16.04lts and bound it to our AD for security.  This server was created to support a small number of Mac users who also authenticate via AD but still allow general Windows client access as well.

The problem I have is the video editing software they require makes use of the 'vfs objects = catia fruit streams_xattr'  function in Samba but when I enable this feature globally or via share it causes problems with the permissions of newly created directories and only when created from Macs.   With the above vfs option disabled All new folders in the share are created with 0777 permissions and are forced to create as the owner with the group permission forced to "Domain Users" any files are created the same but with 0770.  I have tested this with Windows, Mac and Linux clients and it works perfectly.

The problem occurs when enabling the vfs option and creating Folders from a Mac - it creates all new folders with the correct owner and group but seems to force 0755 permissions (drwxr-xr-x)  .  This clearly causes us problems as the Mac users then cannot use the shares correctly to edit or delete data created by other team members.

Original linux permissions on the directory/samba share root:domain users 0770
I have also tried recreating the directory with permissions of 2770  - this made no difference and the problem remains.

I hope you can help,  smb.conf below

#================= Samba Configuration File ==============
#
#       Samba configuration prepared by xxx
#
#       Samba install is Active Directory bound using winbind
#       for support contact xxxx
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.

#======================= Global Settings =======================

[global]

workgroup = xxx
server string = Some string here
security = ads
realm = AD.AD.AD
domain master = no
local master = no
preferred master = no
printcap name = /etc/printcap
load printers = no

idmap backend = tdb
idmap uid = 10000-99999
idmap gid = 10000-99999

idmap config AD:backend = rid
idmap config AD:range = 10000-99999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true

template homedir = /home/%D%U
template shell = /bin/false

client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2

log file = /var/log/samba/log.%m
log level = 2
max log size = 1000

[CS-DATA]
        comment = Data Share on server
        path = /media/CS-DATA/CS-DATA
        valid users = "@AD\Domain Admins" "@AD\group _RW" "@AD\group2 _RW "
        force group = "domain users"
        writable = yes
        read only = no
        create mask = 0770
        force create mode = 0660
        directory mask = 0777
        force directory mode = 0770
        access based share enum = yes
        hide unreadable = yes
        vfs objects = catia fruit streams_xattr

-- 
*******************************************************************************
Please see the important Legal Notice concerning this email at http://www.hanover.org.uk/email-notice/ 
This email and any files transmitted with it are confidential. If you are not the intended recipient of this e-mail please contact the sender immediately and do not copy, send or disclose it to any other person. 
Reasonable care has been taken to ensure this communication does not contain computer viruses, but no responsibility is accepted and recipients are advised to undertake their own checks
Principal Group entity:
Hanover Housing Association (Exempt Charity, Registered Society No 16324R);
Registered in England & Wales, Registered office: Nelson House, Alington Road, Little Barford, St Neots, PE19 6RE
*******************************************************************************
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba