07 April, 2015

Samba "force create mode"/"force directory mode" not working, how to solve?

I have created a Share on a Samba server, to be used commonly by several users, with the goal, that all users belonging to a Unix group (in this case "users") can read and write these files, but nobody else should have access to these files. Speaking in unix permissions I wanted to add the 0770 mask to these files.

After reading the Samba documentation I concluded that I need to set the "force create mode"/"force directory mode" parameters for this share and this should do the trick.

After setting it up it was working well for my account (the first, account created during installation), but it was not working for a second account, which I have created manually, and where I have added it manually to the users group as its primary group. For this account it always omitted the group write attribute for the directories, where the resulting permission was always 0750.

After some investigation it turned out that Samba was honoring the "umask" restrictions/settings which, in the case when the user is not in the primary group with the same name as the users,  is masking out the group write mask. (May be this is happening only when the "obey pam restrictions" is set to yes, but on Ubuntu 14.04 this is set by default.) Strangely enough this was happening to the directories only and not to the files (may be some inconsistecy in Samba implementation?).

The pam_umask manual page has a description on how umask is working and there are two solutions to the problem (changing the umask in the users startup scripts doesn't work, because it is not used by Samba):
  1. Either you set the primary group of all the affected users to the same name as their login name and add the relevant (in this case users) group as an additional group
  2. or you can change the umask for a user in their GECOS field
This GECOS field sound very good, but how to do it actually?

The GECOS fields are in /etc/passwd , it is in the 5th field of the user and you have to separate the  umask specification with a comma from the other GECOS fields. One example on how to use it is the following:

test:x:1003:100:Test user,umask=0002:/home/test:/bin/bash

Be aware that umask is just the negate of Samba force mode, in umask you have to set those bits to 1 which you want to be cleared.

No comments: