enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #06077
[Bug 1668762] [NEW] Samba file permissions ignored with umask 022
You have been subscribed to a public bug:
Using Samba 4.3.11-Ubuntu on Xenial 16.04.2. See the question at
http://askubuntu.com/questions/882352/samba-group-write-file-
permissions-not-set.
When using a share for multiple users, the permissions are being ignored
so that specifically the write bit for the group and other are being
removed, as if a umask of 022 was being set somewhere.
I'm writing this as a bug, as all documentation I have found has been
applied and tested with no avail, and that as in the Ask Ubuntu, that
documentation suggests what I'm doing should work.
Client: Windows 10 x64 1607, OS Build 14393.693
Client: Ubuntu 16.04.2 LTS as client
For a particular share, I'm using the following parameters:
create mask = 0660
force create mode = 0660
security mask = 0660
force security mode = 0660
directory mask = 2770
force directory mode = 2770
directory security mask = 2770
force directory security mode = 2770
Note, the directory modes work, the file modes do not work.
I've also used "unix extensions = no" to no effect, along with "map
{system|hidden|archive} = no" to no effect (but we'd expect that as
force ... would override this). The result is the "create mask" with the
write bits for group and other removed (effectively 640 on the
filesystem, so it's only readable as the group).
Logging with a log level of 10 shows that the mode is being used as
asked; on Windows within the share, we just create a new Word Document
from the Explorer (note, not using MSWord as this makes this more
complicated). The same results are also when creating a new text file:
log.bugatti.old-[2017/02/28 21:36:11.177664, 10, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/files.c:745(file_name_hash)
log.bugatti.old: file_name_hash: /mnt/home/julia/tmp/New Microsoft Word Document.docx hash 0xe19f977
log.bugatti.old-[2017/02/28 21:36:11.177670, 5, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/dosmode.c:196(unix_mode)
log.bugatti.old: unix_mode(julia/tmp/New Microsoft Word Document.docx) returning 0660
log.bugatti.old-[2017/02/28 21:36:11.177675, 10, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/open.c:2479(open_file_ntcreate)
log.bugatti.old: open_file_ntcreate: fname=julia/tmp/New Microsoft Word Document.docx, dos_attrs=0x80 access_mask=0x16019f share_access=0x0 create_disposition = 0x2 create_options=0x44 unix mode=0660 oplock_request=2 private_flags = 0x0
log.bugatti.old-[2017/02/28 21:36:11.177681, 10, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/open.c:2637(open_file_ntcreate)
log.bugatti.old: open_file_ntcreate: fname=julia/tmp/New Microsoft Word Document.docx, after mapping access_mask=0x16019f
log.bugatti.old-[2017/02/28 21:36:11.177687, 4, pid=5992, effective(11105, 10513), real(11105, 0)] ../source3/smbd/open.c:2727(open_file_ntcreate)
log.bugatti.old: calling open_file with flags=0x2 flags2=0xC0 mode=0660, access_mask = 0x16019f, open_access_mask = 0x16019f
I also see in the logs no reference of values 022 or 640 which might
have been logged.
Tested also with pam_umask mask=002 and that had no effect (after
restarting with systemctl restart smbd).
The machine is running as a samba server for the shares, but the
passwords are all derived from a Windows 2012 R2 active directory
server. Thus, there are no local passwords. Using pdbedit -Lv shows
nothing of interest:
Testing on the server itself also shows the same behaviour:
$ smbclient //camaro/home
WARNING: The "syslog" option is deprecated
Enter jcurl's password:
Domain=[HOME] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> cd julia
smb: \julia\> cd tmp
smb: \julia\tmp\> put foo.txt
putting file foo.txt as \julia\tmp\foo.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \julia\tmp\> ls
. D 0 Tue Feb 28 22:10:35 2017
.. D 0 Mon May 9 14:48:46 2016
Install.txt N 133 Tue May 10 16:39:12 2016
Favorites D 0 Mon May 9 14:51:46 2016
foo.txt N 0 Tue Feb 28 22:10:35 2017
New Microsoft Word Document.docx N 0 Tue Feb 28 21:36:11 2017
206292664 blocks of size 1024. 130164180 blocks available
smb: \julia\tmp\>
# ls -l /home/julia/tmp
total 8
drwxrws--- 4 julia julia 4096 May 9 2016 Favorites
-rw-r----- 1 jcurl julia 0 Feb 28 22:10 foo.txt
-rw-rw---- 1 julia julia 133 May 10 2016 Install.txt
-rw-r----- 1 jcurl julia 0 Feb 28 21:36 New Microsoft Word Document.docx
# pdbedit -Lv
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 10240
doing parameter syslog = 0
WARNING: The "syslog" option is deprecated
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = member server
doing parameter passdb backend = tdbsam
doing parameter obey pam restrictions = yes
doing parameter unix password sync = no
doing parameter map to guest = bad user
doing parameter usershare allow guests = no
doing parameter socket options = TCP_NODELAY
doing parameter invalid users = root
doing parameter strict locking = no
doing parameter delete readonly = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 2000-9999
doing parameter idmap config HOME:backend = rid
doing parameter idmap config HOME:schema_mode = rfc2307
doing parameter idmap config HOME:range = 10000-99999
doing parameter idmap config HOME:default = yes
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind refresh tickets = yes
doing parameter winbind normalize names = yes
doing parameter winbind offline logon = yes
doing parameter name resolve order = bcast host lmhosts wins
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter client use spnego = yes
doing parameter client ntlmv2 auth = yes
doing parameter encrypt passwords = yes
doing parameter restrict anonymous = 2
doing parameter hide unreadable = yes
doing parameter directory mask = 2770
doing parameter create mask = 0660
doing parameter map archive = no
doing parameter map system = no
doing parameter map hidden = no
doing parameter unix extensions = no
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="CAMARO"
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
The command
# testparm -s
[global]
workgroup = HOME
realm = HOME.LAN
server string = %h server
server role = member server
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
restrict anonymous = 2
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10240
name resolve order = bcast host lmhosts wins
unix extensions = No
dns proxy = No
panic action = /usr/share/samba/panic-action %d
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind normalize names = Yes
idmap config home:default = yes
idmap config home:range = 10000-99999
idmap config home:schema_mode = rfc2307
idmap config home:backend = rid
idmap config *:range = 2000-9999
idmap config * : backend = tdb
invalid users = root
create mask = 0660
directory mask = 02770
directory mode = 02770
hide unreadable = Yes
map archive = No
strict locking = No
delete readonly = Yes
[homes]
comment = Home Directory for %U
valid users = %S
read only = No
force create mode = 0660
force directory mode = 02770
browseable = No
[home]
comment = Access to home directories for backup purposes
path = /home
valid users = jcurl
force user = %U
read only = No
force create mode = 0660
force directory mode = 02770
browseable = No
Note that the security options are not shown by testparm (likely because they are the same as the default values as per samba docs). The same behaviour is for the users home directory also. I've not shown the other shares as they're not relevant, but also recreatable (I have a share called build that has the same effect).
Directories have their setgid bit set so the group is sticky regardless
of the group of the user.
This problem appears to be present (but not confirmed) since first
installing Ubuntu 16.04 LTS.
# dpkg -S /usr/sbin/smbd
samba: /usr/sbin/smbd
# lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
# apt-cache policy samba
samba:
Installed: 2:4.3.11+dfsg-0ubuntu0.16.04.3
Candidate: 2:4.3.11+dfsg-0ubuntu0.16.04.3
Version table:
*** 2:4.3.11+dfsg-0ubuntu0.16.04.3 500
500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
2:4.3.8+dfsg-0ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
# dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | grep samba
libnss-winbind 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
libpam-winbind 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
libsmbclient 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
libwbclient0 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
python-samba 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
samba 2:4.3.11+dfsg-0ubuntu0.16.04.3 install ok installed
samba-common 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
samba-common-bin 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
samba-dsdb-modules 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
samba-libs 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
samba-vfs-modules 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
smbclient 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
winbind 2:4.3.11+dfsg-0ubuntu0.16.04.3 samba install ok installed
$ ls -l /home/julia/tmp
total 8
drwxrws--- 4 julia julia 4096 May 9 2016 Favorites
-rw-rw---- 1 julia julia 133 May 10 2016 Install.txt
-rw-r----- 1 jcurl julia 0 Feb 28 21:36 New Microsoft Word Document.docx
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
Samba file permissions ignored with umask 022
https://bugs.launchpad.net/bugs/1668762
You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to samba in Ubuntu.
