Samba adds execute flag to all new files

[the3kgt2]

We have started using ACLs on our fileserver and we are having a problem with getting Samba to behave correctly. When we create a file in Linux, the permissions and ACLs are set correctly. Files are set to 640 and directories are set to 750. However, when we create it in Windows through Samba, regular files are being set with 650 and directories are set to 770. It's adding execute on files and execute+write to directories for groups!

Here's my server info:

ACLs on the directory:

Code:

getfacl /testing
# file: .
# owner: root
# group: DomainUsers
user::rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:mask::r-x
default:other::---

Create a file in linux. Looks fine:

Code:

touch unixfile1
ls -l unixfile1
-rw-r-----+ 1 root root 0 Jan 19 08:41 unixfile1

Create a directory in linux. Looks fine:

Code:

mkdir unixdir1
ls -l | grep unixdir1
drwxr-x---+ 2 root     root        4096 Jan 19 08:41 unixdir1

Create a file through Samba from a Windows server. It adds group execute!

Code:

ls -l winfile1
-rwxr-x---+ 1 the3kgt2 DomainUsers    0 Jan 19 08:43 winfile1

Create a directory through Samba from a Windows server. It adds group execute AND group write!

Code:

ls -l windir1
drwxrwx---+ 2 the3kgt2 DomainUsers 4096 Jan 19 08:44 windir1

Here's my smb.conf.

Code:

cat smb.conf
   workgroup = MYDOMAIN
   password server = windowsserver.mydomain.com
   realm = MYDOMAIN.COM
   security = ADS
   idmap uid = 500-10000000
   idmap gid = 500-10000000
   template shell = /bin/false
   winbind use default domain = true
   winbind offline logon = false
	server string = pspice
	log file = /etc/samba/var/log.%m
	logon script = scripts\%U.bat
	logon path = \\myserver\profiles\%U
	idmap backend = ad
	ldap idmap suffix = dc=mydomain,dc=com
	ldap admin dn = cn=binduser,cn=Users,dc=mydomain,dc=com
	ldap suffix = dc=mydomain,dc=com
	winbind nested groups = yes
	hosts allow = 10.20.30.0/255.255.255.0

	inherit acls = Yes
        inherit acls = Yes

[testing]
        comment = ACL testing
        path = /testing
	read only = no

[HROAdmin26]

Google: samba create mask

[the3kgt2]

I already tried adding directory mask = 0750 and create mask = 0640 to the share. No change, same problem.

Even if it did work, I want samba to always follow ACL's. If a sub-directory in this share is set to default:group:rwx ACLs, then I want Samba to follow the ACL and create the file as 660, not 640.

[scathefire]

i think with samba you have to assign certain parameters per share. Maybe you should look into:

Code:

[testing]
acl map full control = True
create mode = 0640
directory mask = 0750

You may even want to apply:

Code:

nt acl support = yes
inherit acls = yes
inherit permissions = yes

[the3kgt2]

I tried that and still get the same problem.

The actual problem is samba not adding the correct mask. When I create a file in unix, the mask for files is correctly set to rw-. However, when I create a file in Windows, the mask for files is being set to rwx instead of rw-

[scathefire]

So I guess the question now would be is the thing actually mounting the share with ACL permissions:

Code:

mount -t ext3

It should have something like:
/dev/sda2 on / type ext3 (rw)

If you have your samba share on a separate mount point, the you might see something like:

Code:

/dev/sdb2 on /point/sambaroot type ext3 (rw, acl)

Then that means its going to obey ACLs, and all those masks you assign are going to do nothing. In which case you should be able to set nt acl support to 'no'.

Adjust those commands to whatever filesystem type you are actually using.