How to keep group-writeable shares on Samba with OSX clients?
- by Oliver Salzburg
I have a FreeNAS server on a network with OSX and Windows clients. When the OSX clients interact with SMB/CIFS shares on the server, they are causing permission problems for all other clients.
Update: I can no longer verify any answers because we abandoned the project, but feel free to post any help for future visitors.
The details of this behavior seem to also be dependent on the version of OSX the client is running. For this question, let's assume a client running 10.8.2.
When I mount the CIFS share on an OSX client and create a new directory on it, the directory will be created with drwxr-x-rx permissions. This is undesirable because it will not allow anyone but me to write to the directory. There are other users in my group which should have write permissions as well. This behavior happens even though the following settings are present in smb.conf on the server:
[global]
create mask= 0666
directory mask= 0777
[share]
force directory mode= 0775
force create mode= 0660
I was under the impression that these settings should make sure that directories are at least created with rwxrwxr-x permissions. But, I guess, that doesn't stop the client from changing the permissions after creating the directory.
When I create a folder on the same share from a Windows client, the new folder will have the desired access permissions (rwxrwxrwx), so I'm currently assuming that the problem lies with the OSX client.
I guess this wouldn't be such an issue if you could easily change the permissions of the directories you've created, but you can't. When opening the directory info in Finder, I get the old "You have custom access" notice with no ability to make any changes.
I'm assuming that this is caused because we're using Windows ACLs on the share, but that's just a wild guess.
Changing the write permissions for the group through the terminal works fine, but this is unpractical for the deployment and unreasonable to expect from anyone to do.
This is the complete smb.conf:
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = nobody
map to guest = Bad Password
obey pam restrictions = Yes
# NOTE: read smb.conf.
directory name cache size = 0
max protocol = SMB2
netbios name = freenas
workgroup = COMPANY
server string = FreeNAS Server
store dos attributes = yes
hostname lookups = yes
security = user
passdb backend = ldapsam:ldap://ldap.company.local
ldap admin dn = cn=admin,dc=company,dc=local
ldap suffix = dc=company,dc=local
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
#ldap debug level = 1
#ldap debug threshold = 1
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1
[share]
path = /mnt/zfs0
printable = no
veto files = /.snap/.windows/.zfs/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = no
vfs objects = zfsacl
guest ok = no
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
hide dot files
force directory mode = 0775
force create mode = 0660