Samba, Windows ACLs and unwanted executable bit

access-control-listsamba4

I setup Samba with ACL support on an Ubuntu 18.04 LTS server and I'm facing the following situation.

Here's the smb.conf content:

[global]
   # naming
   workgroup = WORKGROUP
   server string = %h server (Samba, Ubuntu)

   # networking
   disable netbios = yes
   local master = no
   domain master = no
   preferred master = no

   # domain accounts
   security = ADS
   realm = EXAMPLE.COM
   encrypt passwords = yes
   invalid users = root

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000

   template shell = /bin/bash

   winbind nss info = rfc2307
   winbind use default domain = yes
   winbind rpc only = yes
   winbind cache time = 10

   vfs objects = acl_xattr
   map acl inherit = yes
   acl group control = yes
   store dos attributes = no

   # logging
   log file = /var/log/samba/log.%m
   max log size = 1000

   # permissions
   create mode = 0644
   directory mode = 0755
   inherit acls = yes
   map archive = no

   # printers
   load printers = no

   # veto files
   veto files = /._*/.DS_Store/

[All Users]
   comment = All Home Directories
   path = /home/EXAMPLE
   browseable = yes
   read only = no
   valid users = @dl_acc_ro @dl_acc_rw

From macOS Sierra, I connect to a samba share with smb://myserver.com/test. Then I open a terminal and $ cd /Volumes/test and I finally create a file with $ touch xxx.

Here's the output of $ ls -l on my Mac:

$ ls -l
-rwx------  1 gregory  staff  0 Sep 26 20:00 xxx

And now on the server itself:

$ ls -l
-rwxrwxr-x+ 1 gregory utilisa. du domaine 0 Sep 26 18:00 xxx

And ACLs:

$ getfacl /home/EXAMPLE/gregory
getfacl: Removing leading '/' from absolute path names
# file: home/EXAMPLE/gregory
# owner: gregory
# group: utilisa.\040du\040domaine
user::rwx
group::r-x
other::r-x


$ getfacl /home/EXAMPLE/gregory/xxx
getfacl: Removing leading '/' from absolute path names
# file: home/EXAMPLE/gregory/xxx
# owner: gregory
# group: utilisa.\040du\040domaine
user::rwx
user:gregory:rwx
group::r-x
group:utilisa.\040du\040domaine:r-x
mask::rwx
other::r-x

As you can see, the regular file created by touch has the executable bit set. Is there a way I can avoid this behavior? I would like regular files created through Samba to have 0644 permissions.

For the record, I tested from a Linux workstation and it exhibits the same behavior, which makes me believe it's all happening on the Samba server side.

Best Answer

From the Samba manual:

Consequently, there is no use for any of the three Unix executable bits that are present on a file in a Samba disk share. DOS files, however, have their own attributes that need to be preserved when they are stored in a Unix environment: the archive, system, and hidden bits. Samba can preserve these bits by reusing the executable permission bits of the file on the Unix side—if it is instructed to do so. Mapping these bits, however, has an unfortunate side effect: if a Windows user stores a file in a Samba share, and you view it on Unix with the ls -al command, some of the executable bits won't mean what you'd expect them to.

How to disable it? Following from the manual:

Three Samba options decide whether the bits are mapped: map archive, map system , and map hidden. These options map the archive, system, and hidden attributes to the owner, group, and world execute bits of the file, respectively. You can add these options to the [data] share, setting each of their values as follows:

 [data]
    map archive = no
    map system = no
    map hidden = no

You call also disable the executable bit by using the store dos attributes flag.

Related Solutions

Samba – Can Samba support full Windows-ACLs

This is how I've always done it, not quite sure where I read this.

In order to have most of windows ACL options on your Samba shares connected to AD you need to enable both POSIX ACLs and XATTRS:

/dev/sda2       /samba              ext3    user_xattr,acl  1   2

And in your smb.conf you need to enable idmapping, nt acls and attribute mapping like this:

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = idmap_rid:<domain_netbios_name>=16777216-33554431

nt acl support = yes
inherit acls = yes

map acl inherit = yes 
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
inherit permissions = yes

Then all you need to do is define administrator user for the share, and with that user edit security settings from Windows.

[public]
path = /share/Public
public = yes
writable = yes
printable = no
admin users = "DOMAIN\user"

The only problems could be related to existing ACLs (you "disown" root and transfer ownership to your Windows user) and unmapped user groups.

To map groups manually you need to be doing something like this:

net groupmap delete ntgroup="Domain Admins"
net groupmap delete ntgroup="Domain Users"
net groupmap delete ntgroup="Domain Guests"

net groupmap add ntgroup="Domain Admins" rid=512 unixgroup=root
net groupmap add ntgroup="Domain Users" rid=513 unixgroup=users 
net groupmap add ntgroup="Domain Guests" rid=514 unixgroup=nobody

for builtin security groups.

And then for all your groups:

groupadd mygroup
net groupmap delete ntgroup="mygroup"   
net groupmap add ntgroup="DOMAIN\mygroup" rid=1000  unixgroup=mygroup   type=d

Linux – Samba share for user groups with Ubuntu. A user can’t access files created by other users

I had to give up using ACLs via NFS. The mask is not working properly.

I use inotify now instead, with a little script launched at startup:

#!/bin/bash

# Directory name as argument. You MUST set it also down there before using it!

LOGFILE="/tmp/inotify-log.tmp"

inotifywait -mrq -e attrib,moved_to,create --format %w%f "$1" | while read FILE ; do
    # Ignore root FIXME you have to put here all possible root arguments
    if [ -d "$FILE" ] && [ $FILE == "/export/proyectos" ] || [ $FILE == "/export/proyectos/" ] ; then
        continue;
    fi
    # Get new permissions
    PERMISOS=$(stat -c %a "$FILE")
    if [ -d "$FILE" ] ; then
        if [ $PERMISOS -ne 2771 ] ; then
            NUEVOSPERMISOS=2771

        else
            NUEVOSPERMISOS=0
        fi
    else
        # Get permissions
        if [ ${#PERMISOS} -eq 3 ] ; then
            PERMISOS_ADICIONALES=0
            PERMISOS_USUARIO=${PERMISOS:0:1}
            PERMISOS_GRUPO=${PERMISOS:1:1}
            PERMISOS_OTROS=${PERMISOS:2:1}
        else
            PERMISOS_ADICIONALES=${PERMISOS:0:1}
            PERMISOS_USUARIO=${PERMISOS:1:1}
            PERMISOS_GRUPO=${PERMISOS:2:1}
            PERMISOS_OTROS=${PERMISOS:3:1}
        fi

        # Check permissions
        if [ $PERMISOS_USUARIO -ne $PERMISOS_GRUPO ] || [ 0 -ne $PERMISOS_OTROS ] ; then
            NUEVOSPERMISOS=${PERMISOS_ADICIONALES}${PERMISOS_USUARIO}${PERMISOS_USUARIO}0
        else
            NUEVOSPERMISOS=0
        fi

    fi

    # Set permissions
    if [ $NUEVOSPERMISOS -ne 0 ] ; then
        chmod $NUEVOSPERMISOS "$FILE"
                # Debug output
                OUTPUT="$(date) : $FILE ($PERMISOS -> $NUEVOSPERMISOS)"
                echo $OUTPUT >> $LOGFILE
    fi

done

The permissions are fixed now by this script, instead of fall back into ACLs via NFS.

Best Answer

Related Solutions

Samba – Can Samba support full Windows-ACLs

Linux – Samba share for user groups with Ubuntu. A user can’t access files created by other users

Related Topic