Creating a directory in Samba share from OSX client always has ACL “mask:r-x”
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.
I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.
(The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)
However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:
> getfacl /mnt/dungeon/tmp/untitled folder
getfacl: Removing leading '/' from absolute path names
# file: mnt/dungeon/tmp/untitled folder
# owner: nobody
# group: smb_tmp
user::rwx
user:nobody:rwx #effective:r-x
group::rwx #effective:r-x
group:smb_tmp:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:group:smb_tmp:rwx
default:mask::rwx
default:other::---
The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:
sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder
Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.
If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.
I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.
The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.
What do I need to do to have both Time Machine backup and group-owned shares work properly?
I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.
osx samba
asked Dec 9 at 11:42
Tanuva
82
add a comment |
up vote
1
down vote
favorite
I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.
I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.
(The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)
However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:
> getfacl /mnt/dungeon/tmp/untitled folder
getfacl: Removing leading '/' from absolute path names
# file: mnt/dungeon/tmp/untitled folder
# owner: nobody
# group: smb_tmp
user::rwx
user:nobody:rwx #effective:r-x
group::rwx #effective:r-x
group:smb_tmp:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:group:smb_tmp:rwx
default:mask::rwx
default:other::---
The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:
sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder
Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.
If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.
I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.
The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.
What do I need to do to have both Time Machine backup and group-owned shares work properly?
I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.
osx samba
asked Dec 9 at 11:42
Tanuva
82
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.
I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.
(The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)
However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:
> getfacl /mnt/dungeon/tmp/untitled folder
getfacl: Removing leading '/' from absolute path names
# file: mnt/dungeon/tmp/untitled folder
# owner: nobody
# group: smb_tmp
user::rwx
user:nobody:rwx #effective:r-x
group::rwx #effective:r-x
group:smb_tmp:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:group:smb_tmp:rwx
default:mask::rwx
default:other::---
The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:
sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder
Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.
If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.
I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.
The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.
What do I need to do to have both Time Machine backup and group-owned shares work properly?
I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.
osx samba
asked Dec 9 at 11:42
Tanuva
82
I've had a few shares configured in Samba 4.9.3 (Arch Linux), everything was fine. Access control was done via unix accounts and groups. Then I decided to change the running system.
I set up a Time Machine backup volume in Samba, introducing the vfs_fruit module. That part seems to have started the problems. Sources said that macOS can be picky and the module chain catia fruit streams_xattr needs to be enabled on all the shares, not just the Time Machine share. So I did that.
(The Time Machine backup went through with those settings. TBH I didn't try restoring yet and I'm a little scared of it.)
However, whenever I create a folder on a normal share (via Finder.app), it now gets unix permissions drwxr-xr-x+ that differ from the directory mask = 2770 that I configured for the share. Apart from that, it has these ACLs set:
> getfacl /mnt/dungeon/tmp/untitled folder
getfacl: Removing leading '/' from absolute path names
# file: mnt/dungeon/tmp/untitled folder
# owner: nobody
# group: smb_tmp
user::rwx
user:nobody:rwx #effective:r-x
group::rwx #effective:r-x
group:smb_tmp:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:nobody:rwx
default:group::rwx
default:group:smb_tmp:rwx
default:mask::rwx
default:other::---
The mask::r-x part seems to prevent my user (in group smb_tmp) from even renaming the "untitled folder" I created. If I set mask to rwx manually like this, the folder becomes editable:
sudo setfacl -m mask::rwx /mnt/dungeon/tmp/untitled folder
Changing the folder's permissions from Finder.app is not possible, it tells me I don't have the necessary permission.
If I create a folder in the same location from a Windows 8 client, it has the proper unix access rights and no ACLs set.
I also tried modifying my user's umask on the server, but changing that from the default 022 to 027 didn't change anything.
The other Samba options I tried are in the global section of my smb.conf. None of them changed the ACLs of the folders I created.
What do I need to do to have both Time Machine backup and group-owned shares work properly?
I'm not particularly afraid of ACLs, but if I can get by without them that'd be just fine.
osx samba
osx samba
asked Dec 9 at 11:42
Tanuva
82
asked Dec 9 at 11:42
Tanuva
82
asked Dec 9 at 11:42
Tanuva
82
asked Dec 9 at 11:42
Tanuva
82
asked Dec 9 at 11:42
Tanuva
82
82
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
Try setting the following global option:
fruit:nfs_aces = no
From the manpage of vfs_fruit:
fruit:nfs_aces = yes | no
A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.
answered Dec 10 at 11:35
bluephant
162
Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
– JigglyNaga
Dec 10 at 16:39
Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
– Tanuva
Dec 12 at 18:16
Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
– bluephant
Dec 13 at 21:21
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486919%2fcreating-a-directory-in-samba-share-from-osx-client-always-has-acl-maskr-x%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
Try setting the following global option:
fruit:nfs_aces = no
From the manpage of vfs_fruit:
fruit:nfs_aces = yes | no
A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.
answered Dec 10 at 11:35
bluephant
162
Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
– JigglyNaga
Dec 10 at 16:39
Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
– Tanuva
Dec 12 at 18:16
Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
– bluephant
Dec 13 at 21:21
add a comment |
up vote
0
down vote
accepted
Try setting the following global option:
fruit:nfs_aces = no
From the manpage of vfs_fruit:
fruit:nfs_aces = yes | no
A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.
answered Dec 10 at 11:35
bluephant
162
Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
– JigglyNaga
Dec 10 at 16:39
Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
– Tanuva
Dec 12 at 18:16
Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
– bluephant
Dec 13 at 21:21
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Try setting the following global option:
fruit:nfs_aces = no
From the manpage of vfs_fruit:
fruit:nfs_aces = yes | no
A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.
answered Dec 10 at 11:35
bluephant
162
Try setting the following global option:
fruit:nfs_aces = no
From the manpage of vfs_fruit:
fruit:nfs_aces = yes | no
A global option whether support for querying and modifying the UNIX mode of directory entries via NFS ACEs is enabled, default yes.
answered Dec 10 at 11:35
bluephant
162
edited Dec 11 at 20:58
answered Dec 10 at 11:35
bluephant
162
answered Dec 10 at 11:35
bluephant
162
answered Dec 10 at 11:35
bluephant
162
162
Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
– JigglyNaga
Dec 10 at 16:39
Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
– Tanuva
Dec 12 at 18:16
Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
– bluephant
Dec 13 at 21:21
add a comment |
Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
– JigglyNaga
Dec 10 at 16:39
Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
– Tanuva
Dec 12 at 18:16
Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
– bluephant
Dec 13 at 21:21
Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
– JigglyNaga
Dec 10 at 16:39
Welcome to U&L! Your answer would be more useful if it included a few details: What does this option do (a short extract from the documentation is enough)? Is that setting all that's required to fix the OP's problem?
– JigglyNaga
Dec 10 at 16:39
Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
– Tanuva
Dec 12 at 18:16
Perfect, thank you! If only I had guessed that "NFS ACEs" could have something to do with ACL issues... :)
– Tanuva
Dec 12 at 18:16
Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
– bluephant
Dec 13 at 21:21
Depending on what you've been reading up on you might know or you might not. ACE: Access Control Entry, which is part of an ACL: Access Control List . For instance in the manpages of nfs4_setfacl and nfs4_getcfacl the acronym ACL is explained when it's mentioned the first time, but ACE isn't. In the manpage of nfs4_acl both acronyms are explained.
– bluephant
Dec 13 at 21:21
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486919%2fcreating-a-directory-in-samba-share-from-osx-client-always-has-acl-maskr-x%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
