work-work.work-logo: A man with brains and a shovel

work-work.work

A blog about goals and obstacles, motivation and procrastination, life's random events and getting things done.

Samba Security Mask Is Gone

Upgrading to Samba 4, I ran into one problem.

I have multiple users who have write access to my files. No matter who created the file or folder, I want all other users to be able to modify or even delete them.

My users are in the unix group sambashare and I have two ways to ensure that all files and directories belong to the sambashare group.

  1. setting the guid bit to the parent folder
  2. by setting force group = sambashare in /etc/samba/smb.conf

The file permissions (drwxrwx--- on folders to the group and -rw-rw---- on files) are ensured by these /etc/samba/smb.conf:

inherit permissions = yes
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770

This way all newly created files have the correct permissions. It works fine if they are created on a Windows machine. My macOS is a different beast. It changes the permissions on its own right after creating the files. That's why I relied on theses additional settings:

security mask = 660
force security mode = 660
directory security mask = 770
force directory security mode = 770

Security mask (or the synonym mode) means that these permissions are always enforced. Not only upon creating files but also when the permissions are changed.

Samba 4 has removed theses settings and my macOS started write protecting files to the sambashare group.

I finally found the solution:

unix extensions = no

will prevent POSIX systems like macOS from changing these permissions. Now my permissions stay the way I want them.