umask not working on samba share

[QatQat]

Hi there,

some time ago I started a thread about setting the default umask on a samba share.

http://www.tek-tips.com/viewthread.cfm?qid=1090821&page=1

I followed IRudeBoy's indstructions and modified my smb.conf
like this

[accounts]
path = /home/accounts
public = no
comments = Account_Share
write list = @accounts
force create mode = 0775
force group = accounts


This worked for a while but now I have users complaining again as they cannot modify files created by other users of the same group.

They are only able to read the files but not modify.

WHat am I missing in my configuration.

Thanks in advance
Qatqat


Life is what happens when you are making other plans.

 

[TrojanWarBlade]

I'm guessing a little here but it sounds to me like the files in question were created by users that are not members of the group "accounts".


Trojan.

 

[QatQat]

No, the users are members of the group; the only difference that i found is that the users that cause this problem are running Windoz 98 while the rest are on XP and behave correclty.

Does it make any sense?

Cheers

QatQat

Life is what happens when you are making other plans.

 

[TrojanWarBlade]

Yes, that makes sense and is interesting.
I don't, however, have an answer for you at the moment.
Maybe it rings bells with someone else here.



Trojan.

 

[meekrob]

Look at the permissions/ownership on the innaccessable files and post them, and post the permissions of the accessable files for contrast.

I have had similar issues, there are other parameters to force the user and group. Maybe some parameters work with 2000/XP while others will work better w/ 98...

Are the problems occuring in newly created subdirs?

TRY:

force directory mode (S)

This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this parameter is (in octal) 0000 which will not add any extra permission bits to a created directory. This operation is done after the mode mask in the parameter directory mask is applied.

The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.

Default: force directory mode = 000

Example: force directory mode = 0755
force directory security mode (S)

This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.

This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on. Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a directory, the user has always set to be 'on'.

If not set explicitly this parameter is 000, which allows a user to modify all the user/group/world permissions on a directory without restrictions.
Note

Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set as 0000.

Default: force directory security mode = 0

Example: force directory security mode = 700

Also I use force security mode:

force security mode (S)

This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.

This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on. Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'.

If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world permissions on a file, with no restrictions.

Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave this set to 0000.

Default: force security mode = 0

Example: force security mode = 700

 

[QatQat]

Thanks for taking the time to answer my post; I will try it and get back to you.


Anyway if a user with NT based Windoz creates a new file you get

-RWXRWXR-X user1 accounts filename

So the group accounts has full rights to the new file.

When someone with Windoz 98 does the same

-RWXR-XR-X user2 accounts filename

So the group accounts cannot write or modify the new file.



Life is what happens when you are making other plans.

 

[meekrob]

I use SWAT, the web admin tool for SAMBA. It's really nice because it lists all the optional parameters and has links to the documentation.

Once you switch to SWAT you have to use it for all your config file changes, but it might be useful. Make sure you back up smb.conf before installing it.

 

[QatQat]

Thanks for the suggestion but we have a number of shell scrips to automate many admin tasks including some related to smb; swat would alter smb.conf and perhaps make it unusable for the scripts.

I used to use it on red-hat 6 and I have to agree, it makes everything faster but on the other hand samba, at least for normal network needs, is pretty easy to configure manually.

Coming back to your posting, I found out that Windoz users can anyway change the file settings, whether or not I include the force security mode instruction in my smb.conf

So users can untick the "read only" checkbox and then write on the files but it is quite annoying to have to do it any time when opening a new file.

I think I need to do some more research around or strognly recommend them to update the windoz 98 boxes to 2000/XP.

CHeers

QatQat



Life is what happens when you are making other plans.